Docs(dynamodb): add missing dynamodb:TagResource permission for feast apply#6086
Docs(dynamodb): add missing dynamodb:TagResource permission for feast apply#6086anix-lynch wants to merge 1 commit intofeast-dev:masterfrom
Conversation
There was a problem hiding this comment.
@anix-lynch please Sign your commit for passing the DCO check.
shuchu
changed the title
… apply Signed-off-by: Ani Lynch <anixlynch@gmail.com>
anix-lynch
force-pushed
the
fix/dynamodb-tagging-permissions
branch
from
853a5ad to
37c3d9a
Compare
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| | **Command** | Permissions | Resources | | ||
| | ----------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------- | | ||
| | **Apply** | <p>dynamodb:CreateTable</p><p>dynamodb:DescribeTable</p><p>dynamodb:DeleteTable</p> | arn:aws:dynamodb:\<region>:\<account_id>:table/\* | | ||
| | **Apply** | <p>dynamodb:CreateTable</p><p>dynamodb:DescribeTable</p><p>dynamodb:DeleteTable</p><p>dynamodb:TagResource</p> | arn:aws:dynamodb:\<region>:\<account_id>:table/\* | |
There was a problem hiding this comment.
🟡 Documentation adds only dynamodb:TagResource but code also requires UntagResource and ListTagsOfResource
The documentation adds dynamodb:TagResource to the required permissions, but the _update_tags method at sdk/python/feast/infra/online_stores/dynamodb.py:240-252 also calls dynamodb_client.list_tags_of_resource() and dynamodb_client.untag_resource(). A user who follows this documentation and grants only TagResource will find that tag updates still fail (caught by the AccessDeniedException handler at line 344, so not a crash, but tags silently won't be applied). The permissions table and IAM policy should also include dynamodb:UntagResource and dynamodb:ListTagsOfResource for tag operations to actually succeed.
Prompt for agents
In docs/reference/online-stores/dynamodb.md, line 72, add dynamodb:UntagResource and dynamodb:ListTagsOfResource to the Apply permissions in the table row. The current line only lists dynamodb:TagResource but the code in sdk/python/feast/infra/online_stores/dynamodb.py:240-252 also calls list_tags_of_resource and untag_resource. Similarly, in the IAM policy JSON block (around lines 83-88), add "dynamodb:UntagResource" and "dynamodb:ListTagsOfResource" to the Action array.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Summary
When using the
tagsconfig option in the DynamoDB online store,feast applyrequires thedynamodb:TagResourceIAM permission. This permission was missing from both the permissions table and the inline policy example in the docs.Root Cause
The DynamoDB online store calls
TagResourcewhentagsare configured infeature_store.yaml. Without this permission,feast applyfails with a crypticAccessDeniedExceptionthat doesn't point to the missing permission.Changes
dynamodb:TagResourceto the Apply row in the permissions tabledynamodb:TagResourceto the inline policy JSON exampleReproduction
Running
feast applywith the above config and withoutdynamodb:TagResourcein the IAM policy throwsAccessDeniedException.Workaround: remove
tagsfrom config OR adddynamodb:TagResourceto the IAM policy.Closes #6085