PutResourcePolicyCommand

Suggest an Edit

Attaches a resource-based policy document to the resource, which can be a table or stream. When you attach a resource-based policy using this API, the policy application is eventually consistent  .

PutResourcePolicy is an idempotent operation; running it multiple times on the same resource using the same policy document will return the same revision ID. If you specify an ExpectedRevisionId that doesn't match the current policy's RevisionId, the PolicyNotFoundException will be returned.

PutResourcePolicy is an asynchronous operation. If you issue a GetResourcePolicy request immediately after a PutResourcePolicy request, DynamoDB might return your previous policy, if there was one, or return the PolicyNotFoundException. This is because GetResourcePolicy uses an eventually consistent query, and the metadata for your policy or table might not be available at that moment. Wait for a few seconds, and then try the GetResourcePolicy request again.

Example Syntax

Use a bare-bones client and the command you need to make an API call.

import { DynamoDBClient, PutResourcePolicyCommand } from "@aws-sdk/client-dynamodb"; // ES Modules import
// const { DynamoDBClient, PutResourcePolicyCommand } = require("@aws-sdk/client-dynamodb"); // CommonJS import
const client = new DynamoDBClient(config);
const input = { // PutResourcePolicyInput
  ResourceArn: "STRING_VALUE", // required
  Policy: "STRING_VALUE", // required
  ExpectedRevisionId: "STRING_VALUE",
  ConfirmRemoveSelfResourceAccess: true || false,
};
const command = new PutResourcePolicyCommand(input);
const response = await client.send(command);
// { // PutResourcePolicyOutput
//   RevisionId: "STRING_VALUE",
// };

PutResourcePolicyCommand Input

See PutResourcePolicyCommandInput for more details

Parameter
Type
Description
Policy
Required
string | undefined

An Amazon Web Services resource-based policy document in JSON format.

  • The maximum size supported for a resource-based policy document is 20 KB. DynamoDB counts whitespaces when calculating the size of a policy against this limit.

  • Within a resource-based policy, if the action for a DynamoDB service-linked role (SLR) to replicate data for a global table is denied, adding or deleting a replica will fail with an error.

For a full list of all considerations that apply while attaching a resource-based policy, see Resource-based policy considerations .

ResourceArn
Required
string | undefined

The Amazon Resource Name (ARN) of the DynamoDB resource to which the policy will be attached. The resources you can specify include tables and streams.

You can control index permissions using the base table's policy. To specify the same permission level for your table and its indexes, you can provide both the table and index Amazon Resource Name (ARN)s in the Resource field of a given Statement in your policy document. Alternatively, to specify different permissions for your table, indexes, or both, you can define multiple Statement fields in your policy document.

ConfirmRemoveSelfResourceAccess
boolean | undefined

Set this parameter to true to confirm that you want to remove your permissions to change the policy of this resource in the future.

ExpectedRevisionId
string | undefined

A string value that you can use to conditionally update your policy. You can provide the revision ID of your existing policy to make mutating requests against that policy.

When you provide an expected revision ID, if the revision ID of the existing policy on the resource doesn't match or if there's no policy attached to the resource, your request will be rejected with a PolicyNotFoundException.

To conditionally attach a policy when no policy exists for the resource, specify NO_POLICY for the revision ID.

PutResourcePolicyCommand Output

See PutResourcePolicyCommandOutput for details

Parameter
Type
Description
$metadata
Required
ResponseMetadata
Metadata pertaining to this request.
RevisionId
string | undefined

A unique string that represents the revision ID of the policy. If you're comparing revision IDs, make sure to always use string comparison logic.

Throws

Name
Fault
Details
InternalServerError
server

An error occurred on the server side.

InvalidEndpointException
client
LimitExceededException
client

There is no limit to the number of daily on-demand backups that can be taken.

For most purposes, up to 500 simultaneous table operations are allowed per account. These operations include CreateTable, UpdateTable, DeleteTable,UpdateTimeToLive, RestoreTableFromBackup, and RestoreTableToPointInTime.

When you are creating a table with one or more secondary indexes, you can have up to 250 such requests running at a time. However, if the table or index specifications are complex, then DynamoDB might temporarily reduce the number of concurrent operations.

When importing into DynamoDB, up to 50 simultaneous import table operations are allowed per account.

There is a soft account quota of 2,500 tables.

GetRecords was called with a value of more than 1000 for the limit request parameter.

More than 2 processes are reading from the same streams shard at the same time. Exceeding this limit may result in request throttling.

PolicyNotFoundException
client

The operation tried to access a nonexistent resource-based policy.

If you specified an ExpectedRevisionId, it's possible that a policy is present for the resource but its revision ID didn't match the expected value.

ResourceInUseException
client

The operation conflicts with the resource's availability. For example:

  • You attempted to recreate an existing table.

  • You tried to delete a table currently in the CREATING state.

  • You tried to update a resource that was already being updated.

When appropriate, wait for the ongoing update to complete and attempt the request again.

ResourceNotFoundException
client

The operation tried to access a nonexistent table or index. The resource might not be specified correctly, or its status might not be ACTIVE.

DynamoDBServiceException
Base exception class for all service exceptions from DynamoDB service.