aaqib90
aaqib90

Reputation: 558

Aws lambda not connecting with Dynamo Db

I am getting this error when i am trying to trigger

There was an error creating the trigger: Cannot access stream arn:aws:dynamodb:us-east-2:xxxxxx:table/xxxx/stream/2017-09-18T07:47:01.834. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.

Please help me,

Upvotes: 13

Views: 17238

Answers (5)

user1893483
user1893483

Reputation: 1

Attach AWSLambdaKinesisExecutionRole policy to the lambda function. This policy is pre defined by AWS. You can just use that in your lambda SAM template.

Upvotes: 0

ROB
ROB

Reputation: 131

When you create a lambda function, Lambda create a role by default for the lambda function created, but that role isn't enough to give permissions to Dynamo to invoke lambda functions. So in role seccion seek your lambda function and attach the AWSLambdaInvocation-DynamoDB policy.

Upvotes: 0

Wilheim
Wilheim

Reputation: 123

Seems like you only need to create this role with policy AWSLambdaDynamoDBExecutionRole and attach to your lambda. You probably don't want full access as this is a read action. enter image description here

Upvotes: 2

Dylan w
Dylan w

Reputation: 2906

When attaching a trigger to a DynamoDb table, you will get the error as posted by OP

You need to add a policy to the IAM role generated for that lambda function.

Here is sample JSON you can use to create the policy, just replace the lambda function and stream ARNs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:accountnumber:function:functionname"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:region:accountnumber:table/table-name/stream/2019-02-27T07:41:49.893"
        }
    ]
}

Once you create the policy and attach it to the role, you can then go back to DynamoDB and create a new trigger with the lambda function. If done correctly, it will create without errors.

Upvotes: 22

Chetan Laddha
Chetan Laddha

Reputation: 1005

As per error message, your IAM settings are not correct. You need to assign these kinds of Roles to your user.

You will have to create a policy that allows your AWS functions to access Cloudwatch logs as well as the table you just created. Go to the IAM console, select 'Roles' and then 'Create new role'.

enter image description here

Select the 'AWS Lambda' role: enter image description here

And then click 'Next step' to skip the 'Attach Policy' section

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html will help you to tackle with this error. enter image description here Also, I tried to follow information from: https://github.com/dwyl/learn-aws-lambda#what-is-lambda for accessing dynamodb and it's working fine with root(main) user.

Upvotes: 3

Related Questions