Howdy. I'm migrating some code from CDK to Pulumi...
# aws
Howdy. I'm migrating some code from CDK to Pulumi. It's a simple application using Lambda and DynamoDB. In the CDK, I grant access to the DynamoDB tables using "`<tableObject>.grantReadWrite(<lambdaObject>)`" -- but I'm having a hard time finding an equivalent in Pulumi. Any insights ?
@delightful-monkey-90700 looks like that creates an IAM role that is abstracted away from you. Similar to this:
note you'll need to scope the resource (line 45) to the specific table
Are there plans to add similar levels of abstraction for really common and abstractable tasks to Pulumi ?
yes, its being worked on actively right now
Is there any information on what the interface will look like ? I'm going to add methods to the DynamoDB/etc classes
not at the moment, check back next week 🙂
Here's what I did:
Copy code
aws.dynamodb.Table.prototype.grantReadWriteData = async function(role: aws.iam.Role): Promise<void> {
	const roleName = await pulumiOutputStringToString(;
	const policyName = `${roleName}-rolepolicy`;

	if (rolePolicyMap[policyName] === undefined) {
		rolePolicyMap[policyName] = {
			statements: [],
			role: role

	const rolePolicyStatements = rolePolicyMap[policyName].statements;
		Action: [
		Resource: this.arn,
		Effect: "Allow",