Amazon DynamoDB V2 Connector > Introduction to Amazon DynamoDB V2 Connector > Administration of DynamoDB V2 Connector
  

Administration of DynamoDB V2 Connector

Before you use Amazon DynamoDB V2 Connector, make sure you perform the following prerequisite tasks:

Create a minimal IAM policy

Create IAM policies with the minimum required permissions to read from and write to Amazon DynamoDB.
Use the following minimal policy to read data from Amazon DynamoDB:
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:Scan",
"dynamodb:Query",
],
"Resource": "*"
}
]
Use the following minimal policy to write data to Amazon DynamoDB:
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListTagsOfResource",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:TagResource"
],
"Resource": "*"
}
]

Authentication

Amazon DynamoDB V2 Connector uses the standard Amazon AWS SDK authentication mechanisms.
If you do not provide the access key and the secret key in the connection, Amazon DynamoDB V2 Connector uses AWS credentials provider chain that looks for credentials in the following order:
  1. 1The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables.
  2. 2The aws.accessKeyId and aws.secretKey java system properties.
  3. 3The credential profiles file at the default location, ~/.aws/credentials.
  4. 4The instance profile credentials, such as the master instance profile and the worker instance profile in the advanced cluster, delivered through the Amazon EC2 metadata service.
For more information, see the AWS documentation.

IAM authentication

Use IAM authentication for a secure and controlled access to Amazon DynamoDB tables when you run a task.
You can configure IAM authentication when the Secure Agent runs on an Amazon Elastic Compute Cloud (EC2) system.
    1Create a policy with read and write access to Amazon DynamoDB tables.
    2Create the Amazon EC2 role.
    The Amazon EC2 role is used when you create an EC2 system. For more information about creating the Amazon EC2 role, see the AWS documentation.
    3Link the policy with the Amazon EC2 role.
    4Create an EC2 instance and then assign the Amazon EC2 role that you created in step 2 to the EC2 instance.
    5Install the Secure Agent on the EC2 system.

Temporary security credentials using AssumeRole

You can use the temporary security credentials using AssumeRole to access the Amazon DynamoDB resources from the same or different AWS accounts.
Ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity and allows IAM users to use the temporary security credentials and access AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of an access key, secret key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the IAM Role ARN connection property when you create an Amazon DynamoDB V2 connection. The IAM Role ARN uniquely identifies the Amazon DynamoDB resources.

Temporary security credentials policy

To use the temporary security credentials to access Amazon DynamoDB resources, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
IAM role
An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access Amazon DynamoDB tables using the temporary security credentials. The policy specifies the Amazon DynamoDB tables that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the Amazon DynamoDB tables.
The following policy is a sample trust policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" },
"Action":"sts:AssumeRole" }
]
}
}
Here, in the Principal attribute, you can also provide the ARN of the IAM user who can use the dynamically generated temporary security credentials and to restrict further access. For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }

External ID

You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service for a more secure access to the Amazon DynamoDB tables. The external ID must be a string.
The following sample shows an external Id condition in the trust policy of the assumed IAM role:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dummy_external_id"
}
}
}
]