# DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. This connector enables using DynamoDB tables as data sources for federated SQL queries in Spice. ```yaml datasets: - from: dynamodb:users name: users params: dynamodb_aws_region: us-west-2 dynamodb_aws_access_key_id: ${secrets:aws_access_key_id} # Optional dynamodb_aws_secret_access_key: ${secrets:aws_secret_access_key} # Optional dynamodb_aws_session_token: ${secrets:aws_session_token} # Optional ``` ## Configuration ### `from` The `from` field should specify the DynamoDB table name: | `from` | Description | | ---------------- | --------------------------------------------- | | `dynamodb:table` | Read data from a DynamoDB table named `table` | {% hint style="info" %} If an expected table is not found, verify the `dynamodb_aws_region` parameter. DynamoDB tables are region-specific. {% endhint %} ### `name` The dataset name. This will be used as the table name within Spice. Example: ```yaml datasets: - from: dynamodb:users name: my_users params: ... ``` ```sql SELECT COUNT(*) FROM my_users; ``` ### `params` The DynamoDB data connector supports the following configuration parameters: | Parameter Name | Description | | -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | | `dynamodb_aws_region` | Required. The AWS region containing the DynamoDB table | | `dynamodb_aws_access_key_id` | Optional. AWS access key ID for authentication. If not provided, credentials will be loaded from environment variables or IAM roles | | `dynamodb_aws_secret_access_key` | Optional. AWS secret access key for authentication. If not provided, credentials will be loaded from environment variables or IAM roles | | `dynamodb_aws_session_token` | Optional. AWS session token for authentication | ### Credential Sources If AWS credentials are not explicitly provided in the configuration, the connector will automatically load credentials from the following sources in order: 1. **Environment Variables**: * `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` * `AWS_SESSION_TOKEN` (if using temporary credentials) 2. **Shared AWS Config/Credentials Files**: * Config file: `~/.aws/config` (Linux/Mac) or `%UserProfile%\.aws\config` (Windows) * Credentials file: `~/.aws/credentials` (Linux/Mac) or `%UserProfile%\.aws\credentials` (Windows) * The `AWS_PROFILE` environment variable can be used to specify a named profile. * Supports both static credentials and SSO sessions * Example credentials file: ```ini # Static credentials [default] aws_access_key_id = YOUR_ACCESS_KEY aws_secret_access_key = YOUR_SECRET_KEY # SSO profile [profile sso-profile] sso_start_url = https://my-sso-portal.awsapps.com/start sso_region = us-west-2 sso_account_id = 123456789012 sso_role_name = MyRole region = us-west-2 ``` {% hint style="info" %} To set up SSO authentication: 1. Run `aws configure sso` to configure a new SSO profile 2. Use the profile by setting `AWS_PROFILE=sso-profile` 3. Run `aws sso login` to start a new SSO session {% endhint %} 4. **Web Identity Token Credentials**: * Used primarily with OpenID Connect (OIDC) and OAuth * Common in Kubernetes environments using IAM roles for service accounts (IRSA) 5. **ECS Container Credentials**: * Used when running in Amazon ECS containers * Automatically uses the task's IAM role * Retrieved from the ECS credential provider endpoint 6. **EC2 Instance Metadata Service (IMDSv2)**: * Used when running on EC2 instances * Automatically uses the instance's IAM role * Retrieved securely using IMDSv2 The connector will try each source in order until valid credentials are found. If no valid credentials are found, an authentication error will be returned. {% hint style="info" %} **IAM Permissions** Regardless of the credential source, the IAM role or user must have appropriate DynamoDB permissions (e.g., `dynamodb:Scan`, `dynamodb:DescribeTable`) to access the table. {% endhint %} ## Required IAM Permissions The IAM role or user needs the following permissions to access DynamoDB tables: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:*:*:table/YOUR_TABLE_NAME" ] } ] } ``` ### Permission Details | Permission | Purpose | | ------------------------ | --------------------------------------------------------------- | | `dynamodb:Scan` | Required. Allows reading all items from the table | | `dynamodb:DescribeTable` | Required. Allows fetching table metadata and schema information | ### Example IAM Policies #### Minimal Policy (Read-only access to specific table) ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:DescribeTable" ], "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/users" } ] } ``` #### Access to Multiple Tables ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:DescribeTable" ], "Resource": [ "arn:aws:dynamodb:us-west-2:123456789012:table/users", "arn:aws:dynamodb:us-west-2:123456789012:table/orders" ] } ] } ``` #### Access to All Tables in a Region ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:Scan", "dynamodb:DescribeTable" ], "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/*" } ] } ``` {% hint style="warning" %} Security Considerations * Avoid using `dynamodb:*` permissions as it grants more access than necessary. * Consider using more restrictive policies in production environments. * When using IAM roles with EKS, ensure the [service account is properly configured with IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). {% endhint %} ## Examples ### Basic Configuration with Environment Credentials ```yaml version: v1 kind: Spicepod name: dynamodb datasets: - from: dynamodb:users name: users params: dynamodb_aws_region: us-west-2 acceleration: enabled: true ``` ### Configuration with Explicit Credentials ```yaml version: v1 kind: Spicepod name: dynamodb datasets: - from: dynamodb:users name: users params: dynamodb_aws_region: us-west-2 dynamodb_aws_access_key_id: ${secrets:aws_access_key_id} dynamodb_aws_secret_access_key: ${secrets:aws_secret_access_key} acceleration: enabled: true ``` ### Querying Nested Structures DynamoDB supports complex nested JSON structures. These fields can be queried using SQL: ```sql -- Query nested structs SELECT metadata.registration_ip, metadata.user_agent FROM users LIMIT 5; -- Query nested structs in arrays SELECT address.city FROM ( SELECT unnest(addresses) AS address FROM users ) WHERE address.city = 'San Francisco'; ``` {% hint style="warning" %} **Limitations** * The DynamoDB connector currently does not support filter push-down optimization. All filtering is performed after data is retrieved from DynamoDB. * Primary key optimizations are not yet implemented - retrieving items by their primary key will still scan the table. * The DynamoDB connector will scan the first 10 items to determine the schema of the table. This may miss columns that are not present in the first 10 items. {% endhint %} ## Data Types The DynamoDB connector supports the following data types and mappings: * Basic scalar types (String, Number, Boolean) * Lists and Maps * Nested structures * Binary data Example schema from a users table: ```sql describe users; ``` ```bash +----------------+------------------+-------------+ | column_name | data_type | is_nullable | +----------------+------------------+-------------+ | email | Utf8 | YES | | id | Int64 | YES | | metadata | Struct | YES | | addresses | List(Struct) | YES | | preferences | Struct | YES | | created_at | Utf8 | YES | ... +----------------+------------------+-------------+ ``` ## Performance Considerations * Due to limited support for filter push-down, enable acceleration to prevent scanning the entire table on every query. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spice.ai/building-blocks/data-connectors/dynamodb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.