fix(dynamodb): grant*Data() methods are missing the dynamodb:DescribeTable permission

[chris-smith-zocdoc]

Fixes #18773

This allows the high level dynamodb clients to function correctly

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[skinny85]

Thanks for the contribution @chris-smith-zocdoc! One small suggestion.

[skinny85]

What do you think of just adding 'dynamodb:DescribeTable' to the READ_STREAM_DATA_ACTIONS array? I think that's basically what we're going for here, and it would save us from doing any other edits to the production code in this PR (OK, minus the comments 😉).

[chris-smith-zocdoc]

Do you mean READ_DATA_ACTIONS? READ_STREAM_DATA_ACTIONS is for the DynamoDB stream, not reading/writing to the table.

I did consider adding it to READ_DATA_ACTIONS but that had two issues

1. It doesn't cover the write use case, ie grantWriteData()
2. If I added it to both READ_DATA_ACTIONS and WRITE_DATA_ACTIONS then I'd need code to de-dup it for grantReadWriteData

So it seemed simpler to implement it as an additional permission that is added to the necessary grant* calls

[skinny85]

Yep, I meant READ_DATA_ACTIONS.

OK, fair enough!

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: 0b5b5bc
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).