aws_dynamodb: Unable to create table with resource policy with certain dynamodb actions

[frankpengau]

Describe the bug

Unable to create dynamodb table v2 with a resource policy that contains certain dynamodb actions relating to streams.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoDBIndexAndStreamAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/index/*",
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test/stream/*"
            ]
        },
        {
            "Sid": "DynamoDBTableAccess",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:ConditionCheckItem",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789012:role/test-ddb-role-1",
                    "arn:aws:iam::123456789012:role/test-ddb-role-2",
                    "arn:aws:iam::123456789012:role/test-ddb-role-3"
                ]
            },
            "Resource": [
                "arn:aws:dynamodb:ap-southeast-2:123456789012:table/ddb-table-test"
            ]
        }
    ]
}

Following example from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/iam-policy-example-data-crud.html

Resource handler returned message: "One or more parameter values were invalid: Invalid policy document: The following action names are invalid: "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:ListStreams" (Service: DynamoDb, Status Code: 400, ... HandlerErrorCode: InvalidRequest)

Regression Issue

• [ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

DynamoDB Table V2 should be created with expected resource policy given.

Current Behavior

Failure to create DynamoDB Table V2

Reproduction Steps

Repo: https://github.com/frankpengau/aws-cdk-ddbv2-resource-policy-issue

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.169.0

Framework Version

No response

Node.js Version

22.11.0

OS

macOS Sonoma 14.7.1 (Darwin 23.6.0)

Language

TypeScript

Language Version

Typescript (5.6.3)

Other information

No response

[khushail]

Hi @frankpengau , thanks for reaching out.

All the errors are related to the policies related to steam and the reason as mentioned in AWS documentation is -

so in order to work, you might want to create a table with stream first, get the stream id and then grant the required access. (Ref. article for example)

Hope that helps!

Let me know if this does not work for you.

Thanks.

[github-actions[bot]]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.