Reputation: 558
I am getting this error when i am trying to trigger
There was an error creating the trigger: Cannot access stream arn:aws:dynamodb:us-east-2:xxxxxx:table/xxxx/stream/2017-09-18T07:47:01.834. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.
Please help me,
Upvotes: 13
Views: 17238
Reputation: 1
Attach AWSLambdaKinesisExecutionRole
policy to the lambda function. This policy is pre defined by AWS. You can just use that in your lambda SAM template.
Upvotes: 0
Reputation: 131
When you create a lambda function, Lambda create a role by default for the lambda function created, but that role isn't enough to give permissions to Dynamo to invoke lambda functions. So in role seccion seek your lambda function and attach the AWSLambdaInvocation-DynamoDB policy.
Upvotes: 0
Reputation: 123
Seems like you only need to create this role with policy AWSLambdaDynamoDBExecutionRole and attach to your lambda. You probably don't want full access as this is a read action.
Upvotes: 2
Reputation: 2906
When attaching a trigger to a DynamoDb table, you will get the error as posted by OP
You need to add a policy to the IAM role generated for that lambda function.
Here is sample JSON you can use to create the policy, just replace the lambda function and stream ARNs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:region:accountnumber:function:functionname"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Resource": "arn:aws:dynamodb:region:accountnumber:table/table-name/stream/2019-02-27T07:41:49.893"
}
]
}
Once you create the policy and attach it to the role, you can then go back to DynamoDB and create a new trigger with the lambda function. If done correctly, it will create without errors.
Upvotes: 22
Reputation: 1005
As per error message, your IAM settings are not correct. You need to assign these kinds of Roles to your user.
You will have to create a policy that allows your AWS functions to access Cloudwatch logs as well as the table you just created. Go to the IAM console, select 'Roles' and then 'Create new role'.
And then click 'Next step' to skip the 'Attach Policy' section
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html will help you to tackle with this error.
Also, I tried to follow information from: https://github.com/dwyl/learn-aws-lambda#what-is-lambda for accessing dynamodb and it's working fine with root(main) user.
Upvotes: 3