Mastering DynamoDB: A Step-by-Step Guide to Creating Tables and Configuring IAM access

IAM role permissions for read-only of MediaCatalog movie catalog.

Created in Canva. DynamoDB | IAM role

Amazon DynamoDB is a fully managed proprietary serverless NoSQL database service that supports key–value and document data structures and is offered by Amazon.com as part of the Amazon Web Services portfolio. DynamoDB uses synchronous replication across multiple data centers for high durability and availability. DynamoDB was announced by Amazon CTO Werner Vogels on January 18, 2012, and is presented as an evolution of Amazon SimpleDB.

Steps

1. Create a DynamoDB table for latest Movie releases
2. Create IAM role — Read only
3. Create EC2 instance & attach IAM role
4. Use the AWS CLI in the EC2 instance to scan the DynamoDB table
5. Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table

Step 1: Log into your AWS account search for DynamoDB, your going to create a table.

“Movies” MediaCatalog

Since we are creating a movie catalog for Media, Inc. The table name is as stated “MediaCatalog” and partition key is “Titles”. Leave all other setting on default. Once you have created the table you will, check the box “MediaCatalog/demonstration purpose only”. Hit the action toggle, then edit settings.

✓ Check the box.

We then hit the action toggle again, scroll down to “create item”.

TABLE INFORMATION SECTION

We then start inputting our information, then under the value ‘column’ add movie title.

To add new ‘rows’ of information. Genre, Rating, & Release date.

“Create item” will publish your table

Step 2: Create IAM Role - Read Only of DynamoDB Table

Since we’ve created our dynamoDB table which indicates the movie titles, genres, ratings, and release date. We now need an AWS EC2 t.2 micro instance that will allow users to read the data from our table. Let’s make our way over to our EC2 console, and create the instance. Let’s rewind to how to create an instance with this article. Once your instance is created and running, you want to assign an IAM role to the EC2 instance to allow it to read the DynamoDB table. We will grant minimal permissions needed to read the table.

Navigate to the IAM console — and the left side of the menu, click “Roles”, then click the “Create role” the blue button on the right side — the top of the menu page.

The next screen will ask you the trusted entity type. The idea is, we want to attach a role to an EC2 instance (or AWS service), choose “AWS service”, select “EC2” under Use case, then click “Next.”

We are now able to add permissions, to allow users the ability to read our table. AWS has a pre-written DynamoDB read only permission we will be selecting, but you can also make a custom JSON script policy. We

You will review role details, then click “create role”.

Step 3: Create EC2 instance & Attach the IAM role

Let’s create this EC2 instance!

Go to the AWS dashboard and in the search bar type in ‘EC2’; once it appears, click it.

Step 1: Click launch instance

Step 2: Name instance

Step 3: Choose AMI

Step 4: Choose instance type

Step 5: Select/create key pair

Step 6: Firewall (security group)

> Toggle>allow SSH traffic from anywhere>allow http traffic from internet

Step 7: Launch instance

Once your instance is created is where the real work begins > connect your IAM role to your instance.

> Click “Update IAM role”

Step 4: AWS CLI scans Dynamo table

We will scan the table using Amazon’s CLI. The first step in using CLI, is SSH into our instance, be in the directory of your key pair is located. Locate your “connect to instance” tab and enter it into your CLI.

Use command line to SSH

Once you have successfully SSH into the AMI, you will see this message.

SUCCESS!

aws dynamodb scan --table-name --region

AND when I entered my information it looked as following.

aws dynamodb scan --table-name MediaCatalog --region us-east-1

The command will print out your table. JSON output

Step 5: Use the AWS CLI in the EC2 instance to validate you cannot write an item to the DynamoDB table

We have demonstrated we can essentially view/read the DynamoDB table. Now, we will test the validity of the AmazonDynamoDBReadOnlyAccess IAM policy; and that we cannot write to this table. I will look to add a new movie title and genre. Use the following command to try and write to the table.

aws dynamodb put-item \
--table-name <table_name> \
--item '{"<partition_key>": {"S": "<value>"}, \
"<sort_key>": {"S": "<value>"}}' \
--region <region_name>

AND

aws dynamodb put-item \
--table-name MediaCatalog \
--item '{"Titles": {"S": "Freddy vs. JSON"}, "Genre": {"S": "Action, Horror"}}' \
--region us-east-1

Note that “S” represents a string value. If I enter the full command into my CLI, I should get an “AccessDeniedException” error stating the user is not authorized to perform the put-item command. This means that we have successfully applied our IAM read-only role and not able to write to the table.

(AccessDeniedExemption) error

Congrats 🎉 . And that wraps it up, see you on the next article. 👏