DynamoDB fine-grain access with Lambda

Question

I'm trying to access user data in DynamoDB table using identity level fine grained access. For user authentication I'm using Developer Authenicated Identities.

To accomplish that my policy includes:

{
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:UpdateItem"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:dynamodb:eu-west-1:817949094961:table/Users",
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:sub}"
                ]
            }
        }
    }

When trying to access user's data from DynamoDB table - in a Lambda function I'm getting following error:

Error in updateUser: AccessDeniedException: User: arn:aws:sts::12312313:assumed-role/LambdAuthEditAccount/awslambda_123_20160410184653936 is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-west-1:12312312:table/Users"}

However it works just fine when accessing DynamoDB directly from the client browser using JS API - fine-grain access control works correctly. The policy block above is added to both user authenticated role and the role assumed by Lambda function.

I'm wondering if the role assumed by the Lambda (included in the error above) shouldn't resolve to user authenticated role?

Answer 1

Above policy will not work for the role assumed by lambda function, since it requires the id token issued by Cognito to assume the role and get credentials. You can try the following approach: 1) Pass the identity id and the token (received from GetOpenIdTokenForDeveloperIdentity) to the lambda function. 2) Call getCredentialsforIdentity from lambda function and pass the identity id and above token in logins map. 3) Use these credentials to access to dynamoDB.