Skip to content

fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal#37335

Merged
mergify[bot] merged 7 commits intomainfrom
fix-dynamo-grants
Mar 28, 2026
Merged

fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal#37335
mergify[bot] merged 7 commits intomainfrom
fix-dynamo-grants

Conversation

@kumsmrit
Copy link
Copy Markdown
Contributor

@kumsmrit kumsmrit commented Mar 23, 2026
edited by Abogical
Loading

Issue # (if applicable)

Closes #37273.

Reason for this change

After v2.222.0, calling table.grantReadWriteData(new ServicePrincipal(...)) started generating DynamoDB resource-based policies containing service principals. This is a regression caused by the combination of #35554 (which fixed addToResourcePolicy to actually take effect) and #35817 (which enabled the grant framework to automatically discover DynamoDB resource policies). Previously, addToResourcePolicy was a no-op, so the grant silently did nothing.

For unsupported service principals (e.g. myservice.amazonaws.com), this produces an invalid resource policy that fails at CloudFormation deploy time with: "Invalid policy document: Policy contains invalid service principal".

However, DynamoDB does support specific service principals in resource policies:

Description of changes

  1. Throw ValidationError for unsupported service principals — Grant methods (grant, grantReadData, grantWriteData, grantReadWriteData, grantFullAccess) on both Table and TableV2 now detect ServicePrincipal grantees and throw a ValidationError at synth time, directing users to table.addToResourcePolicy() instead. This fails fast rather than producing an invalid template that fails at deploy time.

  2. Allowlist known-valid service principals — Added KNOWN_DYNAMODB_SERVICE_PRINCIPALS allowlist in private/principal-utils.ts containing the three documented service principals. The new isUnsupportedServicePrincipal() function walks the principal wrapper chain (handling PrincipalWithConditions, SessionTagsPrincipal, etc.) to extract the service name and check it against the allowlist. Allowlisted principals pass through grant* methods normally.

  3. Integration test — Added integ.dynamodb.grant-service-principal verifying the three allowlisted principals produce correct resource policies in the synthesized CloudFormation template.

Describe any new or updated permissions being added

No new or updated IAM permissions. This change prevents invalid IAM resource policy statements from being generated for unsupported service principals, while allowing valid ones through.

Description of how you validated changes

  • Unit tests: dynamodb.test.ts (186 passing), table-v2.test.ts (135 passing)
    • Unsupported principals (bedrock.amazonaws.com, lambda.amazonaws.com) throw ValidationError
    • Allowlisted principals (redshift, replication.dynamodb, glue) succeed
    • Wrapped principals (via .withConditions()) handled correctly for both cases
  • Integration test: integ.dynamodb.grant-service-principal deployed successfully with snapshot containing resource policy statements for all three allowlisted principals

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p1 labels Mar 23, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team March 23, 2026 21:12
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 23, 2026
aws-cdk-automation
aws-cdk-automation previously requested changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@aws-cdk-automation aws-cdk-automation dismissed their stale review March 23, 2026 22:16

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 23, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results48 ran47 passed1 failed
TestResult
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.grant-service-principal.js.snapshot/grant-service-principal-test-stack.template.json
resource-policy-root-principal-needs-conditions.guard❌ failure

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 23, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ☑️SkippedFailed ❌️
Security Guardian Results with resolved templates48 ran47 passed1 failed
TestResult
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-dynamodb/test/integ.dynamodb.grant-service-principal.js.snapshot/grant-service-principal-test-stack.template.json
resource-policy-root-principal-needs-conditions.guard❌ failure

@kumsmrit kumsmrit marked this pull request as ready for review March 24, 2026 09:02
mrgrain
mrgrain reviewed Mar 24, 2026
View reviewed changes
packages/aws-cdk-lib/aws-dynamodb/lib/table-v2-base.ts Outdated
Comment on lines +553 to +559
Annotations.of(this).addWarningV2(
'@aws-cdk/aws-dynamodb:servicePrincipalGrantDropped',
'DynamoDB grant* methods do not support ServicePrincipal grantees. ' +
'Use table.addToResourcePolicy() for an explicit service-specific table policy ' +
'with required service principal, actions, and conditions',
);
return Grant.drop(grantee, 'DynamoDB grant* does not support ServicePrincipal grantees');
Copy link
Copy Markdown
Contributor

@mrgrain mrgrain Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kinda sounds like that SPs are never allowed here, but elsewhere you have stated at a small limited list of SPs is actually allowed. I don't think we should drop all SPs, but have a allow list.

Copy link
Copy Markdown
Contributor Author

@kumsmrit kumsmrit Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there are few SPs documented for DynamoDB resource policies, but they are integration-specific and require their own actions/conditions (e.g. replication.dynamodb.amazonaws.com). The generic grant* methods add standard data actions (dynamodb:GetItem, dynamodb:PutItem, etc.), which are not the right action set for those service-principal resource policies.
So even if we had an allowlist of permitted SPs, the actions being granted by grant* methods could produce incorrect resource policy which might not fail deployment, but it could still be functionally incorrect.

Because of that, I think the right path for SPs is the explicit addToResourcePolicy API, where the caller can provide the correct integration-specific principal, actions, and conditions.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 24, 2026
aws-cdk-automation
aws-cdk-automation previously requested changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@Abogical
test(dynamodb): add integ test for allowlisted service principal grants
87b9099 
Verify that DynamoDB tables can grant access to the three allowlisted
service principals (redshift, replication.dynamodb, glue) and that the
resulting CloudFormation template contains the expected resource policy.

🤖 Assisted by the code-assist SOP
@Abogical Abogical changed the title fix(dynamodb): throw error when grantee is a ServicePrincipal fix(dynamodb): throw error when grantee is an unsupported ServicePrincipal Mar 27, 2026
@Abogical Abogical added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Mar 27, 2026
@Abogical Abogical temporarily deployed to deployment-integ-test March 27, 2026 15:57 — with GitHub Actions Inactive
@Abogical Abogical removed the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Mar 27, 2026
@Abogical
Copy link
Copy Markdown
Member

Abogical commented Mar 27, 2026

Snapshot deployment passed: https://github.com/aws/aws-cdk/actions/runs/23655284133/job/68910779532?pr=37335

Removing label.

@Abogical Abogical removed pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. labels Mar 27, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 28, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 28, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-03-28 07:35 UTC · Rule: default-squash
  • Checks passed · in-place
  • Merged2026-03-28 08:28 UTC · at 6fd29d49348fb170f81ad0ce1e473886d8f2e914

This pull request spent 52 minutes 18 seconds in the queue, including 52 minutes 10 seconds running CI.

Required conditions to merge

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 28, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit d12754f into main Mar 28, 2026
19 of 24 checks passed
@mergify mergify bot deleted the fix-dynamo-grants branch March 28, 2026 08:28
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 28, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 28, 2026
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mrgrain mrgrain mrgrain left review comments

@rix0rrr rix0rrr rix0rrr approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p1 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

DynamoDB Table construct started creating invalid resource-based policy with service principals after v2.222.0

5 participants

@kumsmrit @Abogical @mrgrain @rix0rrr @aws-cdk-automation