Skip to content
OpsTower Docs

AWS DynamoDB Connection

The AWS DynamoDB connection integrates your DynamoDB tables with OpsTower, giving agents the ability to query data using PartiQL syntax. PartiQL provides a SQL-compatible query language for DynamoDB, making it straightforward for agents to look up and analyze your NoSQL data.

Prerequisites

Section titled “Prerequisites”

You need an AWS account with at least one DynamoDB table in the region you want to connect.

Credentials Required

Section titled “Credentials Required”

To set up a DynamoDB connection, you need three pieces of information, with one optional field:

  • AWS Access Key ID — the access key for an IAM user with DynamoDB read permissions
  • AWS Secret Access Key — the corresponding secret key
  • Region — the AWS region where your DynamoDB tables are located (e.g., us-east-1)
  • Default Table (optional) — scope queries to a specific table by default

How to Create IAM Credentials

Section titled “How to Create IAM Credentials”

  1. Log in to the AWS Console and navigate to IAM (Identity and Access Management).

  2. In the left sidebar, select Users and click Create user (or select an existing user).

  3. Give the user a descriptive name (e.g., “opstower-dynamodb”).

  4. On the permissions step, attach one of the following policies:

    Option A — Managed policy (recommended for simplicity): Attach the AWS managed policy AmazonDynamoDBReadOnlyAccess. This grants read access to all DynamoDB tables in the account.

    Option B — Custom policy (recommended for least privilege): Create an inline policy with only the permissions OpsTower needs:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "dynamodb:ExecuteStatement",
            "dynamodb:ListTables",
            "dynamodb:DescribeTable"
          ],
          "Resource": "*"
        }
      ]
    }

    You can further restrict the Resource field to specific table ARNs if needed.

  5. After creating the user, go to Security credentials and click Create access key.

  6. Select Third-party service as the use case.

  7. Copy both the Access Key ID and Secret Access Key immediately — the secret key will not be shown again.

Store these credentials securely. If you lose the secret key, you will need to create a new access key pair.

How to Find Your Region

Section titled “How to Find Your Region”

Your DynamoDB tables are region-specific. To find the correct region:

  1. In the AWS Console, navigate to DynamoDB.
  2. Check the region selector in the top-right corner of the console. The current region code (e.g., us-east-1, eu-west-1) is displayed there.
  3. Ensure you can see your tables listed. If not, switch to the correct region.

Setting Up the Connection in OpsTower

Section titled “Setting Up the Connection in OpsTower”
  1. In OpsTower, navigate to Connections in the sidebar.
  2. Click Add Connection and select AWS DynamoDB.
  3. Enter your AWS Access Key ID, AWS Secret Access Key, and Region.
  4. Optionally, set a Default Table to scope queries to a specific table.
  5. Click Save to create the connection.

What Agents Can Do with DynamoDB

Section titled “What Agents Can Do with DynamoDB”

Once connected and enabled on an agent, the agent can:

  • Query tables using PartiQL syntax (a SQL-compatible language for DynamoDB)
  • List all DynamoDB tables in the configured region
  • Describe table structures, including key schemas and indexes

PartiQL Query Notes

Section titled “PartiQL Query Notes”

PartiQL lets you query DynamoDB with SQL-like syntax. A few important things to know:

  • Include the partition key in queries for best performance. Queries without a partition key result in a full table scan, which is slower and more expensive.
  • Example query: SELECT * FROM "Users" WHERE "userId" = 'abc123'
  • Table and attribute names with special characters or uppercase letters should be enclosed in double quotes.
  • PartiQL through OpsTower is read-only. Write operations (INSERT, UPDATE, DELETE) are not supported.

Troubleshooting

Section titled “Troubleshooting”
  • Authentication errors: Verify that your Access Key ID and Secret Access Key are correct and that the IAM user has not been deactivated.
  • Access denied: Ensure the IAM user has the required permissions (dynamodb:ExecuteStatement, dynamodb:ListTables, dynamodb:DescribeTable). Check for any restrictive IAM policies or service control policies.
  • No tables found: Confirm that the region is correct. DynamoDB tables are region-specific, so tables in us-east-1 will not appear when querying eu-west-1.
  • Slow queries: Include the partition key in your PartiQL queries to avoid full table scans. If querying by non-key attributes, consider whether a Global Secondary Index (GSI) exists for those attributes.