Service acct.

examples/dynamodb/service_account.tf

@@ -16,10 +16,10 @@ resource "aws_iam_role" "dynamodb_streams_role" {
   name = "DynamoDBStreamsRole"
 
   assume_role_policy = jsonencode({
-    Version = "2012-10-17",
+    Version   = "2012-10-17",
     Statement = [
       {
-        Action = "sts:AssumeRole",
+        Action    = "sts:AssumeRole",
         Principal = {
           Service = "ec2.amazonaws.com"
         },
@@ -35,20 +35,37 @@ resource "aws_iam_policy" "dynamodb_streams_access" {
   description = "My policy that grants access to DynamoDB streams"
 
   policy = jsonencode({
-    Version = "2012-10-17",
+    Version   = "2012-10-17",
     Statement = [
       {
-        Effect   = "Allow",
-        Action   = [
+        Effect = "Allow",
+        Action = [
           "dynamodb:GetShardIterator",
           "dynamodb:DescribeStream",
           "dynamodb:GetRecords",
           "dynamodb:ListStreams",
+
+          // Stuff only required for export (snapshot)
           "dynamodb:DescribeTable"
         ],
         // Don't want to use "*"? You can specify like this:
         // Resource = [ TABLE_ARN, TABLE_ARN + "/stream/*" ]
         Resource = "*" # Modify this to restrict access to specific streams or resources
+      },
+      // Export (snapshot) requires access to S3
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:ListBucket"
+        ],
+        "Resource" : "arn:aws:s3:::artie-transfer-test"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject"
+        ],
+        "Resource" : "arn:aws:s3:::artie-transfer-test/AWSDynamoDB/*"
       }
     ]
   })
@@ -80,6 +97,7 @@ resource "aws_iam_access_key" "dynamodb_streams_user_key" {
   user = aws_iam_user.dynamodb_streams_user.name
 }
 
+
 # Output AWS credentials
 output "aws_access_key_id" {
   value     = aws_iam_access_key.dynamodb_streams_user_key.id