When extracting data from AWS DynamoDB using ODBC connector, the following IAM policy can be configured for an IAM user and thus, pull data from only one table into Qlik i.e. viewing the expected table in "Select data" UI instead of providing access to all AWS DynamoDB database tables.
{
"Statement": [
{
"Action": [
"dynamodb:Scan",
"dynamodb:ListTables",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": "arn:aws:dynamodb:eu-west-2:*:table/my-table-name",
"Sid": "EcrDynamoDBReadAccess"
}
],
"Version": "2012-10-17"
}
However, with above IAM policy, select data is empty and the following error is displayed
error "(Connector error: ERROR [42S02] [Simba][SQLEngine] (31740) Table or view not found: ..my-table-name)"
Resolution
When given access through DynamoDB UI console or AWS API, the above IAM policy is valid from AWS DynamoDB perspective. But, ODBC and JDBC drivers need access to fetch metadata, hence ListTables access is required. As ListTables is just read access, it should not be an issue.
Use the following reviewed IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListTablesAccess",
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": "*"
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/<MyTable>"
}
]
}
Information provided on this defect is given as is at the time of documenting. For up to date information, please review the most recent Release Notes, or contact support with the ID QB-27013 for reference.
Cause
Product Defect ID: QB-27013
Environment
