localstack icon indicating copy to clipboard operation
localstack copied to clipboard
verified publisher icon localstack

LocalStack doesnt validate DynamoDb action

Open vijaimp opened this issue 1 year ago • 5 comments

I changed my lambda logic to pull data from dynamo using QueryCommand to BatchGetCommand.

Forgot to change my CDK code to change permission from 'dynamodb:Query' to 'dynamodb:BatchGetItem', perhaps my tests which is running based on localstack should have been failed. But its not.

I got permission error in AWS only.

My expectation was this would have been caught in localstack.

vijaimp avatar Mar 22 '24 08:03 vijaimp

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

localstack-bot avatar Mar 22 '24 08:03 localstack-bot

Hi @vijaimp, thanks for your report.

Could you please provide us a minimal sample of AWS CLI commands that work on LocalStack but fail on AWS? This will help us implement the missing functionality in LocalStack.

viren-nadkarni avatar Apr 02 '24 12:04 viren-nadkarni

its not about CLI command. Its about CDK infra code (infra as code) which can be deployed in localstack and AWS.

I was using QueryCommand in my lambda to query dynamo table , which was working fine with below below infra code (CDK)

readonly myDynamoTable: Table; myDynamoTable.grant(myLambda, 'dynamodb:Query');

I changed the implementation in my lambda to use BatchGetCommand instead QueryCommand to fetch more rows in batch to improve the performance. Forgot to change the lambda permission as below in infra code.

readonly myDynamoTable: Table; myDynamoTable.grant(myLambda, 'dynamodb:BatchGetItem');

Expectation: LocalStack should have been thrown error, saying lambda doesnt have permission to use BatchGetItem.

Actual: LocalStack doesnt throw any error where it get caught in AWS.

Error in AWS myLambda is not authorized to perform: dynamodb:BatchGetItem on resource: myDynamoTable because no identity-based policy allows the dynamodb:BatchGetItem action

vijaimp avatar Apr 15 '24 10:04 vijaimp

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

localstack-bot avatar Sep 12 '24 21:09 localstack-bot

i will check and update

vijaimp avatar Sep 16 '24 06:09 vijaimp

Hello 👋! It looks like this issue hasn’t been active in longer than five months. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

localstack-bot avatar Feb 13 '25 08:02 localstack-bot