fix(dynamodb): missing grantRead for ConditionCheckItem

[hoegertn]

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[skinny85]

@hoegertn any justification on this change? Is this permission related to transactions? Should we have a separate API that includes transactions?

I'm just not 100% sure what the implications here are.

[hoegertn]

Yes, you are right, this permission is used within transactions. Imho it is a read action on a table so I see no reason why it should not be allowed on grantRead. I would even argue that adding it might help people to use transactions inside their apps because they can still use the normal grant methods.

[bitbauer]

Changes are consistent.
As documented ConditionCheckItem is general read-only action:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

When condition is used together with PutItem/UpdateItem/DeleteItem resulting permission error relates to write action. This will also help understanding permission issues. This is another reason to add it to overall read permissions.

[skinny85]

Fine, you wore me down 🙂

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: f7d68e1
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).