Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v15] use Update rather than ConditionCheck in dynamodbbk AtomicWrite #41133

Merged
merged 1 commit into from
May 2, 2024
Merged

[v15] use Update rather than ConditionCheck in dynamodbbk AtomicWrite #41133

merged 1 commit into from
May 2, 2024

Conversation

espadolini
Copy link
Contributor

@espadolini espadolini commented May 2, 2024
edited

The AtomicWrite operation in dynamodbbk requires dynamodb:ConditionCheckItem IAM permissions on the table, which wasn't documented but hasn't been noticed until #40851, which actually used a backend.KindNop conditional action. We're going to update the documentation for v16 and note the required changes in the release notes for v16, but we can use a workaround for v15 that doesn't require permission changes, which this PR implements.

This PR makes it so that any KindNop atomic write in dynamodbbk uses an Update TransactWriteItem that removes a nonexistent top-level field, which makes it so that the operation requires dynamodb:UpdateItem permissions even though the result is the same.

The lib/backend/dynamo tests fail in master and branch/v15 with a role that only has the documented permissions, with an error like unexpected error during atomic write: AccessDeniedException: User: <user arn> is not authorized to perform: dynamodb:ConditionCheckItem on resource: arn:aws:dynamodb:<region>:<account id>:table/<table name> because no identity-based policy allows the dynamodb:ConditionCheckItem action and succeed after this change.

As a workaround for errors like that, adding dynamodb:ConditionCheckItem to the IAM permissions used by the Teleport auth server should solve the errors.

changelog: fix AccessDeniedException for dynamodb:ConditionCheckItem operations when using AWS DynamoDB for cluster state storage

@github-actions github-actions bot requested a review from rosstimothy May 2, 2024 11:55
@gravitational gravitational deleted a comment from github-actions bot May 2, 2024
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from rosstimothy May 2, 2024 16:04
@espadolini espadolini added this pull request to the merge queue May 2, 2024
Merged via the queue into branch/v15 with commit 9cd1caf May 2, 2024
34 of 35 checks passed
@espadolini espadolini deleted the espadolini/v15-dynamodbbk-update-check branch May 2, 2024 17:45
@josh-ferrell josh-ferrell mentioned this pull request May 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tigrato tigrato tigrato approved these changes

@fspmarshall fspmarshall fspmarshall approved these changes

Assignees
No one assigned
Labels
backport size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@espadolini @tigrato @fspmarshall