Skip to content

Docs(dynamodb): add missing dynamodb:TagResource permission for feast apply #6086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anix-lynch wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Docs(dynamodb): add missing dynamodb:TagResource permission for feast apply #6086

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/reference/online-stores/dynamodb.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ Feast requires the following permissions in order to execute commands for Dynamo

| **Command** | Permissions | Resources |
| ----------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------- |
| **Apply** | <p>dynamodb:CreateTable</p><p>dynamodb:DescribeTable</p><p>dynamodb:DeleteTable</p> | arn:aws:dynamodb:\<region>:\<account_id>:table/\* |
| **Apply** | <p>dynamodb:CreateTable</p><p>dynamodb:DescribeTable</p><p>dynamodb:DeleteTable</p><p>dynamodb:TagResource</p> | arn:aws:dynamodb:\<region>:\<account_id>:table/\* |
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 Documentation adds only dynamodb:TagResource but code also requires UntagResource and ListTagsOfResource

The documentation adds dynamodb:TagResource to the required permissions, but the _update_tags method at sdk/python/feast/infra/online_stores/dynamodb.py:240-252 also calls dynamodb_client.list_tags_of_resource() and dynamodb_client.untag_resource(). A user who follows this documentation and grants only TagResource will find that tag updates still fail (caught by the AccessDeniedException handler at line 344, so not a crash, but tags silently won't be applied). The permissions table and IAM policy should also include dynamodb:UntagResource and dynamodb:ListTagsOfResource for tag operations to actually succeed.

Prompt for agents 
In docs/reference/online-stores/dynamodb.md, line 72, add dynamodb:UntagResource and dynamodb:ListTagsOfResource to the Apply permissions in the table row. The current line only lists dynamodb:TagResource but the code in sdk/python/feast/infra/online_stores/dynamodb.py:240-252 also calls list_tags_of_resource and untag_resource. Similarly, in the IAM policy JSON block (around lines 83-88), add "dynamodb:UntagResource" and "dynamodb:ListTagsOfResource" to the Action array.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

| **Materialize** | dynamodb.BatchWriteItem | arn:aws:dynamodb:\<region>:\<account_id>:table/\* |
| **Get Online Features** | dynamodb.BatchGetItem | arn:aws:dynamodb:\<region>:\<account_id>:table/\* |

Expand All @@ -83,6 +83,7 @@ The following inline policy can be used to grant Feast the necessary permissions
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:DeleteTable",
"dynamodb:TagResource",
"dynamodb:BatchWriteItem",
"dynamodb:BatchGetItem"
],
Expand Down