📅 最后修改于: 2020-11-28 14:05:46 🧑 作者: Mango
DynamoDB API提供了大量操作,这些操作需要权限。在设置权限时,必须建立允许的操作,允许的资源以及每个操作的条件。
您可以在策略的“操作”字段中指定操作。在策略的“资源”字段中指定资源值。但是,请确保使用正确的语法,并在API操作中使用Dynamodb:前缀。
例如-dynamodb:CreateTable
您还可以使用条件键来过滤权限。
仔细查看下表中给出的API操作和相关权限-
| API Operation | Necessary Permission |
|---|---|
| BatchGetItem | dynamodb:BatchGetItem |
| BatchWriteItem | dynamodb:BatchWriteItem |
| CreateTable | dynamodb:CreateTable |
| DeleteItem | dynamodb:DeleteItem |
| DeleteTable | dynamodb:DeleteTable |
| DescribeLimits | dynamodb:DescribeLimits |
| DescribeReservedCapacity | dynamodb:DescribeReservedCapacity |
| DescribeReservedCapacityOfferings | dynamodb:DescribeReservedCapacityOfferings |
| DescribeStream | dynamodb:DescribeStream |
| DescribeTable | dynamodb:DescribeTable |
| GetItem | dynamodb:GetItem |
| GetRecords | dynamodb:GetRecords |
| GetShardIterator | dynamodb:GetShardIterator |
| ListStreams | dynamodb:ListStreams |
| ListTables | dynamodb:ListTables |
| PurchaseReservedCapacityOfferings | dynamodb:PurchaseReservedCapacityOfferings |
| PutItem | dynamodb:PutItem |
| Query | dynamodb:Query |
| Scan | dynamodb:Scan |
| UpdateItem | dynamodb:UpdateItem |
| UpdateTable | dynamodb:UpdateTable |
在下表中,您可以查看与每个允许的API操作关联的资源-
| API Operation | Resource |
|---|---|
| BatchGetItem | arn:aws:dynamodb:region:account-id:table/table-name |
| BatchWriteItem | arn:aws:dynamodb:region:account-id:table/table-name |
| CreateTable | arn:aws:dynamodb:region:account-id:table/table-name |
| DeleteItem | arn:aws:dynamodb:region:account-id:table/table-name |
| DeleteTable | arn:aws:dynamodb:region:account-id:table/table-name |
| DescribeLimits | arn:aws:dynamodb:region:account-id:* |
| DescribeReservedCapacity | arn:aws:dynamodb:region:account-id:* |
| DescribeReservedCapacityOfferings | arn:aws:dynamodb:region:account-id:* |
| DescribeStream | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| DescribeTable | arn:aws:dynamodb:region:account-id:table/table-name |
| GetItem | arn:aws:dynamodb:region:account-id:table/table-name |
| GetRecords | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| GetShardIterator | arn:aws:dynamodb:region:account-id:table/table-name/stream/stream-label |
| ListStreams | arn:aws:dynamodb:region:account-id:table/table-name/stream/* |
| ListTables | * |
| PurchaseReservedCapacityOfferings | arn:aws:dynamodb:region:account-id:* |
| PutItem | arn:aws:dynamodb:region:account-id:table/table-name |
| Query |
arn:aws:dynamodb:region:account-id:table/table-name or arn:aws:dynamodb:region:account-id:table/table-name/index/index-name |
| Scan |
arn:aws:dynamodb:region:account-id:table/table-name or arn:aws:dynamodb:region:account-id:table/table-name/index/index-name |
| UpdateItem | arn:aws:dynamodb:region:account-id:table/table-name |
| UpdateTable | arn:aws:dynamodb:region:account-id:table/table-name |