CODEWITHSUNDEEP
node.jsamazon-web-servicesamazon-dynamodbaws-sdkaws-cli
Tirath Shah
Tirath Shah

Reputation: 648

User is not authorized to perform: dynamodb:PutItem on resource

I am trying to access DynamoDB from my Node app deployed on AWS ElasticBeanStalk. I am getting an error

User is not authorized to perform: dynamodb:PutItem on resource

It works perfectly fine locally, but when I deploy to the AWS it stops performing.

Upvotes: 54

Views: 93664

Answers (5)

Prashant_M
Prashant_M

Reputation: 3134

Granting full dynamodb access using aws managed policy AmazonDynamoDBFullAccess is not recommended and is not a best practice. Try adding your table arn in the resource key in the policy in your role policy json.

"Resource": "arn:aws:dynamodb:<region>:<account_id>:table:/dynamodb_table_name"

Upvotes: 4

Marcos Viana
Marcos Viana

Reputation: 171

Sign in to IAM > Roles, select the service name. Make sure the DynamoDB Resource is correct.

Upvotes: 0

gsamaras
gsamaras

Reputation: 73366

In my case (I try to write to a DynamoDB table through a SageMaker Notebook for experimental purposes), the complete error looks like this:

ClientError: An error occurred (AccessDeniedException) when calling the UpdateItem operation: User: arn:aws:sts::728047644461:assumed-role/SageMakerExecutionRole/SageMaker is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-west-1:728047644461:table/mytable

I needed to go to AWS Console -> IAM -> Roles -> SageMakerExecutionRole, and Attach these two Policies:

AmazonDynamoDBFullAccess
AWSLambdaInvocation-DynamoDB

In a real-world scenario though, I'd advise to follow the least-permissions philosophy, and apply a policy that allows put item method to go through, in order to avoid accidents (e.g. deleting a record from your table).

Upvotes: 1

Abhimanu Kumar
Abhimanu Kumar

Reputation: 1791

The dynamoDB access denied is generally a Policy issue. Check the IAM/Role policies that you are using. A quick check is to add 

AmazonDynamoDBFullAccess

policy in your role by going to "Permissions" tab in AWS console. If it works after that then it means you need to create a right access policy and attach it to your role.

Upvotes: 57

smcstewart
smcstewart

Reputation: 2085

Check the access key you are using to connect to DynamoDB in your Node app on AWS. This access key will belong to a user that does not have the necessary privileges in IAM. So, find the IAM user, create or update an appropriate policy and you should be good.

For Beanstalk you need to setup user policies when you publish. Check out the official docs here.

And check out the example from here too, courtesy of @Tirath Shah.

Upvotes: 3

Related Questions