Mastering DynamoDB: A Step-by-Step Guide to Creating Tables and Configuring IAM access
IAM role permissions for read-only of MediaCatalog movie catalog.
Amazon DynamoDB is a fully managed proprietary serverless NoSQL database service that supports key–value and document data structures and is offered by Amazon.com as part of the Amazon Web Services portfolio. DynamoDB uses synchronous replication across multiple data centers for high durability and availability. DynamoDB was announced by Amazon CTO Werner Vogels on January 18, 2012, and is presented as an evolution of Amazon SimpleDB.
Steps
- Create a DynamoDB table for latest Movie releases
- Create IAM role — Read only
- Create EC2 instance & attach IAM role
- Use the AWS CLI in the EC2 instance to scan the DynamoDB table
- Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table
Step 1: Log into your AWS account search for DynamoDB, your going to create a table.
Since we are creating a movie catalog for Media, Inc. The table name is as stated “MediaCatalog” and partition key is “Titles”. Leave all other setting on default. Once you have created the table you will, check the box “MediaCatalog/demonstration purpose only”. Hit the action toggle, then edit settings.
We then hit the action toggle again, scroll down to “create item”.
TABLE INFORMATION SECTION
Step 2: Create IAM Role - Read Only of DynamoDB Table
Since we’ve created our dynamoDB table which indicates the movie titles, genres, ratings, and release date. We now need an AWS EC2 t.2 micro instance that will allow users to read the data from our table. Let’s make our way over to our EC2 console, and create the instance. Let’s rewind to how to create an instance with this article. Once your instance is created and running, you want to assign an IAM role to the EC2 instance to allow it to read the DynamoDB table. We will grant minimal permissions needed to read the table.
The next screen will ask you the trusted entity type. The idea is, we want to attach a role to an EC2 instance (or AWS service), choose “AWS service”, select “EC2” under Use case, then click “Next.”
We are now able to add permissions, to allow users the ability to read our table. AWS has a pre-written DynamoDB read only permission we will be selecting, but you can also make a custom JSON script policy. We
You will review role details, then click “create role”.
Step 3: Create EC2 instance & Attach the IAM role
Let’s create this EC2 instance!
Go to the AWS dashboard and in the search bar type in ‘EC2’; once it appears, click it.
Step 1: Click launch instance
Step 2: Name instance
Step 3: Choose AMI
Step 4: Choose instance type
Step 5: Select/create key pair
Step 6: Firewall (security group)
> Toggle>allow SSH traffic from anywhere>allow http traffic from internet
Step 7: Launch instance
Once your instance is created is where the real work begins > connect your IAM role to your instance.
> Click “Update IAM role”
Step 4: AWS CLI scans Dynamo table
We will scan the table using Amazon’s CLI. The first step in using CLI, is SSH into our instance, be in the directory of your key pair is located. Locate your “connect to instance” tab and enter it into your CLI.
Once you have successfully SSH into the AMI, you will see this message.
aws dynamodb scan --table-name --region
AND when I entered my information it looked as following.
aws dynamodb scan --table-name MediaCatalog --region us-east-1
Step 5: Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table
We have demonstrated we can essentially view/read the DynamoDB table. Now, we will test the validity of the AmazonDynamoDBReadOnlyAccess IAM policy; and that we cannot write to this table. I will look to add a new movie title and genre. Use the following command to try and write to the table.
aws dynamodb put-item \
--table-name <table_name> \
--item '{"<partition_key>": {"S": "<value>"}, \
"<sort_key>": {"S": "<value>"}}' \
--region <region_name>
AND
aws dynamodb put-item \
--table-name MediaCatalog \
--item '{"Titles": {"S": "Freddy vs. JSON"}, "Genre": {"S": "Action, Horror"}}' \
--region us-east-1
Note that “S” represents a string value. If I enter the full command into my CLI, I should get an “AccessDeniedException” error stating the user is not authorized to perform the put-item command. This means that we have successfully applied our IAM read-only role and not able to write to the table.