Create and configure DynamoDB resources Create an IAM role to give App Studio access to DynamoDB resources Create DynamoDB connector Required IAM permissions for DynamoDB

Connect to Amazon DynamoDB

To connect App Studio with DynamoDB to enable builders to access and use DynamoDB resources in applications, you must perform the following steps:

Create and configure DynamoDB resources
Create an IAM role to give App Studio access to DynamoDB resources
Create DynamoDB connector

Create and configure DynamoDB resources

Use the following procedure to create and configure DynamoDB resources to be used with App Studio.

To set up DynamoDB for use with App Studio

Sign in to the AWS Management Console and open the DynamoDB console at https://console.aws.amazon.com/dynamodb/.

We recommend using the administrative user created in Create an administrative user for managing AWS resources.
In the left navigation pane, choose Tables.
Choose Create table.
Enter a name and keys for your table.
Choose Create table.
After your table is created, add some items to it so they will appear once the table is connected to App Studio.
1. Choose your table, choose Actions, and choose Explore items.
2. In Items returned, choose Create item.
3. (Optional): Choose Add new attribute to add more attributes to your table.
4. Enter values for each attribute and choose Create item.

Create an IAM role to give App Studio access to DynamoDB resources

To use DynamoDB resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete.

We recommend creating at least one IAM role per service and policy. For example, if builders are creating two applications backed by the same tables in DynamoDB, one that only requires read access, and one that requires read, create, update and delete; an administrator should create two IAM roles, one using read only permissions, and one with full CRUD permissions to the applicable tables in DynamoDB.

To create an IAM role to give App Studio access to DynamoDB resources

Sign in to the IAM console with a user that has permissions to create IAM roles. We recommend using the administrative user created in Create an administrative user for managing AWS resources.
In the navigation pane of the console, choose Roles and then choose Create role.
In Trusted entity type, choose Custom trust policy.

Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.

You must replace 111122223333 with the AWS account number of the account used to set up the App Studio instance.


{ 
    "Version": "2012-10-17",
    "Statement": [
        { 
            "Effect": "Allow",
            "Principal": { 
                "AWS": "arn:aws:iam::111122223333:root"
            }, 
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                        "aws:PrincipalTag/IsAppStudioAccessRole": "true"
                }
            }
        } 
    ]
}

Choose Next.

In Add permissions, search for and select the policies that grant the appropriate permissions for the role. Choosing the + next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy.

Note
Instead of adding a managed policy, which includes more permissions than App Studio requires, you can create a customer managed policy with only the minimum required permissions and attach that to the IAM role. For more information, see Required IAM permissions for DynamoDB.

For DynamoDB, you may consider adding one of the following policies:
- AmazonDynamoDBFullAccess: Provides full access to create, read, update, and delete DynamoDB resources.
- AmazonDynamoDBReadOnlyAccess: Provides read-only access to list and describe DynamoDB resources.
For more information about using IAM policies with DynamoDB, including a list of managed policies and their descriptions, see Identity and Access Management for Amazon DynamoDB in the Amazon DynamoDB Developer Guide.

Choose Next.
In Role details, provide a name and description.
In Step 3: Add tags, choose Add new tag to add the following tag to provide App Studio access:
- Key: IsAppStudioDataAccessRole
- Value: true
Choose Create role and make note of the generated Amazon Resource Name (ARN), you will need it when creating the DynamoDB connector in App Studio.

Important

If your DynamoDB tables are encrypted with an AWS KMS customer-managed key (CMK), you must provide permissions to describe the key and decrypt the table to the IAM role used to create the connector. The following policy is an example policy to add to the IAM role. You must replace the ARN with the ARN of the AWS KMS key.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}

Create DynamoDB connector

To create a connector for DynamoDB

Navigate to App Studio.
In the left-side navigation pane, choose Connectors in the Manage section. You will be taken to a page displaying a list of existing connectors with some details about each.
Choose + Create connector.
Choose Amazon DynamoDB from the list of connector types.
Configure your connector by filling out the following fields:
- Name: Enter a name for your DynamoDB connector.
- Description: Enter a description for your DynamoDB connector.
- IAM role: Enter the Amazon Resource Name (ARN) from the IAM role created in Create an IAM role to give App Studio access to DynamoDB resources. For more information about IAM, see the IAM User Guide.
- Region: Choose the AWS Region where your DynamoDB resources are located.
- Available tables: Select the tables you want to connect to App Studio.
Choose Next. Review the connection information and choose Create.
The newly created connector will appear in the Connectors list.

Required IAM permissions for DynamoDB

The following table contains the minimum permissions that an IAM role must contain to use DynamoDB resources with App Studio. For more information about creating customer managed policies and attaching them an IAM role, see Create IAM policies (console).

Access type Required permissions

Access type	Required permissions
Read only	`dynamodb:ListTables dynamodb:DescribeTable dynamodb:PartiQLSelect`
Full access (Create, read, update, and delete)	`dynamodb:ListTables dynamodb:DescribeTable dynamodb:PartiQLSelect dynamodb:PartiQLInsert dynamodb:PartiQLUpdate dynamodb:PartiQLDelete`

Read only


dynamodb:ListTables
dynamodb:DescribeTable
dynamodb:PartiQLSelect

Full access (Create, read, update, and delete)


dynamodb:ListTables
dynamodb:DescribeTable
dynamodb:PartiQLSelect
dynamodb:PartiQLInsert
dynamodb:PartiQLUpdate
dynamodb:PartiQLDelete

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connect to Amazon Redshift

Connect to AWS Lambda