Lambda call fails with no permission error

Question

I have a custom resource in cloudformation template that references a lambda function . Inside the lambda function , I have written code to push items into a DynamoDB table . However , the operation is failing when the cloudformation stack is being created . The error is as follows :

User: arn:aws:sts::551250655555:assumed-role/custom-resource-stack-CustomResourceLambdaExecutio-1OX3T8494LEP5/custom-resource-stack-CustomResourceFunction-1GLEDE3BEPWDP is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:551250655555:table/MasterTable1

My lambda function name is : custom-resource-stack-CustomResourceFunction-1GLEDE3BEPWDP

and my custom role created is : custom-resource-stack-CustomResourceLambdaExecutio-1OX3T8494LEP5

However , in my serverless template file , I have provided the following permissions :

"CustomResourceLambdaExecutionPolicy": {
                    "DependsOn": ["CustomResourceLambdaExecutionRole"],                 
                    "Type": "AWS::IAM::Policy",
                    "Properties": {
                        "PolicyName": "CustomResourceLambdaExecutionPolicyDocument",
                        "Roles": [{
                            "Ref": "CustomResourceLambdaExecutionRole"
                        }],
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [{
                                "Sid": "DynamoDBAccess",
                                "Action": "dynamodb:*",
                                "Effect": "Allow",
                                "Resource": "*"
                            },
                            {
                                "Sid": "CloudwatchLogGroupAccess",
                                "Action": [
                                            "logs:CreateLogGroup",
                                            "logs:CreateLogStream",
                                            "logs:PutLogEvents"
                                          ],
                                "Effect": "Allow",
                                "Resource": "*"
                            }
                            ]
                        }
                    }
                }

which gives access to all dynamodb operations and tables . Any ideas on what I am doing wrong here .

Answer 1

You are experiencing a race condition.

The Lambda function depends on the IAM role but not on the policy. Thus the function is invoked before the IAM policy is attached to the role.

If you add the policy to the role as part of the IAM role definition that should fix it. You can also make the Lambda function depend on the IAM policy.