fix(dynamodb): Table.grantWriteData() doesn't include enough KMS permissions (#19102)

rangerthegood · web-flow · commit 77f1e0b57bd4 · 2022-02-24T22:16:39.000Z
This fix adds the additional KMS actions `KEY_READ_ACTIONS` during calls to `grantWriteData`. This is required when using Tables are using CMKs during write operations such as put_item and batch_write_item. Fixes #10010 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-dynamodb/lib/table.ts b/packages/@aws-cdk/aws-dynamodb/lib/table.ts
@@ -732,7 +732,8 @@ abstract class TableBase extends Resource implements ITable {
    * @param grantee The principal to grant access to
    */
   public grantWriteData(grantee: iam.IGrantable): iam.Grant {
-    return this.combinedGrant(grantee, { keyActions: perms.KEY_WRITE_ACTIONS, tableActions: perms.WRITE_DATA_ACTIONS });
+    const keyActions = perms.KEY_READ_ACTIONS.concat(perms.KEY_WRITE_ACTIONS);
+    return this.combinedGrant(grantee, { keyActions, tableActions: perms.WRITE_DATA_ACTIONS });
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts b/packages/@aws-cdk/aws-dynamodb/test/dynamodb.test.ts
@@ -720,6 +720,38 @@ test('if an encryption key is included, encrypt/decrypt permissions are added to
   });
 });
 
+test('if an encryption key is included, encrypt/decrypt permissions are added to the principal for grantWriteData', () => {
+  const stack = new Stack();
+  const table = new Table(stack, 'Table A', {
+    tableName: TABLE_NAME,
+    partitionKey: TABLE_PARTITION_KEY,
+    encryption: TableEncryption.CUSTOMER_MANAGED,
+  });
+  const user = new iam.User(stack, 'MyUser');
+  table.grantWriteData(user);
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: Match.arrayWith([{
+        Action: [
+          'kms:Decrypt',
+          'kms:DescribeKey',
+          'kms:Encrypt',
+          'kms:ReEncrypt*',
+          'kms:GenerateDataKey*',
+        ],
+        Effect: 'Allow',
+        Resource: {
+          'Fn::GetAtt': [
+            'TableAKey07CC09EC',
+            'Arn',
+          ],
+        },
+      }]),
+    },
+  });
+});
+
 test('when specifying STANDARD_INFREQUENT_ACCESS table class', () => {
   const stack = new Stack();
   new Table(stack, CONSTRUCT_NAME, {

Original file line number	Diff line number	Diff line change
`@@ -732,7 +732,8 @@ abstract class TableBase extends Resource implements ITable {`
`732`	`732`	`* @param grantee The principal to grant access to`
`733`	`733`	`*/`
`734`	`734`	`public grantWriteData(grantee: iam.IGrantable): iam.Grant {`
`735`		`- return this.combinedGrant(grantee, { keyActions: perms.KEY_WRITE_ACTIONS, tableActions: perms.WRITE_DATA_ACTIONS });`
	`735`	`+ const keyActions = perms.KEY_READ_ACTIONS.concat(perms.KEY_WRITE_ACTIONS);`
	`736`	`+ return this.combinedGrant(grantee, { keyActions, tableActions: perms.WRITE_DATA_ACTIONS });`
`736`	`737`	`}`
`737`	`738`
`738`	`739`	`/**`