CODEWITHSUNDEEP
aws-lambdaamazon-dynamodbaws-cloudformation
Adam
Adam

Reputation: 4188

Unable to Query DynamoDB Table from Lambda Function

Receive the error when executing a Lambda function:

"AccessDeniedException: User: arn:aws:sts::342213474092:assumed-role/testServerlessStack-ExecRole-YZCIWMHK86D8/testServerlessStack-GetFailureKeysByOrder-OR3YS1NLQY0M is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-2:342213474092:table/Bar"

The function's execution role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-2:342213474092:table/Foo/*",
                "arn:aws:dynamodb:us-east-2:342213474092:table/Bar/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The Lambda queries Foo then scans Bar.

Upvotes: 0

Views: 1013

Answers (1)

Chris D'Englere
Chris D'Englere

Reputation: 436

According to the docs, the resources should be formatted as:

To query a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

The same goes for scan:

To scan a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

Have you tried changing the resources to:

"Resource": [
            "arn:aws:dynamodb:us-east-2:342213474092:table/Foo",
            "arn:aws:dynamodb:us-east-2:342213474092:table/Bar"
        ],

Docs here: DynamoDB API permissions

Based on your last comment, this should work for you:

arn:aws:dynamodb:region:account-id:table/*/index/*

Upvotes: 1

Related Questions