CODEWITHSUNDEEP
amazon-web-servicesamazon-dynamodbamazon-cognitoamazon-iam
motivus
motivus

Reputation: 263

AWS IAM policy issue for DynamoDB table access by authenticated Cognito users

I'm having a problem accessing a new DynamoDB table via a successfully authenticated Cognito user.

I get the following AccessDeniedException when attempting a scan of the table (using the AWS JavaScript SDK):

Unable to scan. Error: {
  "message": "User: arn:aws:sts::MY-ACCOUNT-NUM:assumed-role/Cognito_VODStreamTestAuth_Role/CognitoIdentityCredentials 
is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1:MY-ACCOUNT-NUM:table/VideoCatalog",
  "code": "AccessDeniedException",
  "time": "2019-01-27T02:25:27.686Z",
  "requestId": "blahblah",
  "statusCode": 400,
  "retryable": false,
  "retryDelay": 18.559011800834146
}

The authenticated Cognito user policy has been extended with the following DynamoDB section:

{
  "Sid": "AllowedCatalogActions",
  "Effect": "Allow",
  "Action": [
     "dynamodb:BatchGetItem",
     "dynamodb:GetItem",
     "dynamodb:Scan",
     "dynamodb:Query",
     "dynamodb:UpdateItem"
  ],
  "Resource": [
     "arn:aws:dynamodb:us-east-2:MY-ACCOUNT-NUM:table/VideoCatalog"
  ]
}

Shouldn't this be sufficient to give my authenticated Cognito users access to any DynamoDB table I might create, as long as I specify the table resource as I do above? Or do I also need to add "Fine-grained access control" under the table's 'Access control' tab?

I can say that I created the VideoCatalog DynamoDB table under my non-root Administrator IAM role (represented above by MY-ACCOUNT-NUM). Is that a problem? (Prior to trying to move to a DynamoDB table I was using a JSON file on S3 as the video catalog.)

IAM confused!

Upvotes: 1

Views: 635

Answers (1)

namuny
namuny

Reputation: 159

Looking at the error message from AWS and the policy document that you provided, I can see that there are two different regions here.

AWS is saying that your user does not have access to aws:dynamodb:us-east-1:MY-ACCOUNT-NUM:table/VideoCatalog, whereas your policy document is providing access to aws:dynamodb:us-east-2:MY-ACCOUNT-NUM:table/VideoCatalog.

Are you perhaps provisioning your resources in two different regions by mistake?

Upvotes: 1

Related Questions