CODEWITHSUNDEEP
amazon-web-servicesamazon-dynamodbamazon-cognito
Emil
Emil

Reputation: 6893

AccessDeniedException using Cognito ID in DynamoDB

I am trying to insert to my DynamoDB table using Cognito user Id and I am getting always "AccessDeniedException". I followed documentation and created table and policy for it as below. What is missing here. Please see the full stack information and request ID.

Table has UserId as Hashkey and id as rangekey

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:1828211111:table/Table"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Code to save data:

AWS.DynamoDBhelper.Credentials.AddLogin(Helpers.Constants.KEY_LAST_USED_PROVIDER,Helpers.Settings.LoginAccessToken );
                var identityId = await AWS.DynamoDBhelper.Credentials.GetIdentityIdAsync();

                var client = new Amazon.DynamoDBv2.AmazonDynamoDBClient(AWS.DynamoDBhelper.Credentials, Amazon.RegionEndpoint.USEast1);
                Amazon.DynamoDBv2.DataModel.DynamoDBContext context = new Amazon.DynamoDBv2.DataModel.DynamoDBContext(client);


                AWS.Table table= new AWS.Table();
                table.UserId = identityId;
                table.id = "1";
                await context.SaveAsync(table);

ex = {Amazon.DynamoDBv2.AmazonDynamoDBException: assumed-role/ _auth_MOBILEHUB/CognitoIdentityCredentials is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1

Model:

  [DynamoDBTable("Table")]
    public class Table 
    {
        [DynamoDBHashKey]

        public string UserId { get; set; }

        [DynamoDBRangeKey]

        public string id { get; set; }
    }

Upvotes: 1

Views: 1142

Answers (1)

Peter Fennema
Peter Fennema

Reputation: 1690

The error message:

... is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1 ...

Add the following to the Action in your policy:

dynamodb:DescribeTable

So your policy will look like this

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:BatchWriteItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:PutItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem",
                "dynamodb:DescribeTable"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1:1828211111:table/Table"
            ],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        "${cognito-identity.amazonaws.com:sub}"
                    ]
                }
            }
        }
    ]
}

Upvotes: 2

Related Questions