Using the DynamoDb with Spring Data. I specify the following entity:
// getters and setters added by Lombok
@DynamoDBTable(tableName = "secret-table")
public class SecretEntity {
@Id
@DynamoDBHashKey(attributeName = "uuid")
@DynamoDBAutoGeneratedKey
private String id;
@DynamoDBAttribute(attributeName = "status")
private String status;
@DynamoDBAttribute(attributeName = "reference")
private String secretReference;
@DynamoDBIndexHashKey(attributeName = "secretContractUuid", globalSecondaryIndexName = "secretContractUuid")
private String contractUuid;
}
And trying to access entries using contract field and getting error:
User: arn:aws:iam::12313123123:user/dynamo-user is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-east-2:131234234:table/secret-table/index/secretContractUuid because no identity-based policy allows the dynamodb:Query action (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: PJ1LOFVG3LSGLTSCIKM9JAOBG3VV4KQNSO5AEMVJF66Q9ASUAAJG; Proxy: null)
But if I am specifying this field using just
@DynamoDBAttribute(attributeName = "secretContractUuid")
It is working fine.
When the @DynamoDBIndexHashKey is required for the GSI field? Are there some performance issues in cases when this annotation is not specified?
Your issue is caused by lack of permissions on the index. By annotating @DynamoDBIndexHashKey you are telling the application that it can use the index, but you are not supplying adequate permissions.
Your policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessTableAndIndex",
"Effect": "Allow",
"Action": [
"dynamodb:*",
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/secret-table",
"arn:aws:dynamodb:us-west-2:123456789012:table/Books/index/secretContractUuid"
]
}
]
}