结合使用 IAM 与 DynamoDB 全局表
当您首次创建全局表时,Amazon DynamoDB 会自动为您创建一个 AWS Identity and Access Management (IAM) 服务相关角色。该角色名为 AWSServiceRoleForDynamoDBReplication
有关服务相关角色的更多信息,请参见 IAM 用户指南中的使用服务相关角色。
要在 DynamoDB 中创建副本表,您必须在源区域中具有以下权限。
-
dynamodb:UpdateTable
要在 DynamoDB 中创建副本表,您必须在目的地区域中具有以下权限。
-
dynamodb:CreateTable
-
dynamodb:CreateTableReplica
-
dynamodb:Scan
-
dynamodb:Query
-
dynamodb:UpdateItem
-
dynamodb:PutItem
-
dynamodb:GetItem
-
dynamodb:DeleteItem
-
dynamodb:BatchWriteItem
要在 DynamoDB 中删除副本表,您必须在目的地区域中具有以下权限。
-
dynamodb:DeleteTable
-
dynamodb:DeleteTableReplica
要通过 UpdateTableReplicaAutoScaling
更新副本自动扩缩策略,您必须在存在表副本的所有区域中具有以下权限
-
application-autoscaling:DeleteScalingPolicy
-
application-autoscaling:DeleteScheduledAction
-
application-autoscaling:DeregisterScalableTarget
-
application-autoscaling:DescribeScalableTargets
-
application-autoscaling:DescribeScalingActivities
-
application-autoscaling:DescribeScalingPolicies
-
application-autoscaling:DescribeScheduledActions
-
application-autoscaling:PutScalingPolicy
-
application-autoscaling:PutScheduledAction
-
application-autoscaling:RegisterScalableTarget
要使用 UpdateTimeToLive
,必须在存在表副本的所有区域中具有 dynamodb:UpdateTimeToLive
权限。
示例:添加副本
下面的 IAM 策略授予允许您将副本添加到全局表的权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:UpdateTable", "dynamodb:CreateTableReplica", "iam:CreateServiceLinkedRole" ], "Resource": "*" } ] }
示例:更新自动扩展策略
下面的 IAM 策略授予允许您更新副本自动扩缩策略的权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DeleteScheduledAction", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:PutScheduledAction", "application-autoscaling:DeregisterScalableTarget" ], "Resource": "*" } ] }
示例:允许为特定的表名称和区域创建副本
下面的 IAM 策略授予允许为三个区域中具有副本的 Customers
表创建表和副本的权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:CreateTable", "dynamodb:DescribeTable", "dynamodb:UpdateTable" ], "Resource": [ "arn:aws:dynamodb:us-east-1:123456789012:table/Customers", "arn:aws:dynamodb:us-west-1:123456789012:table/Customers", "arn:aws:dynamodb:eu-east-2:123456789012:table/Customers" ] } ] }