How do I fix arn:aws:sts Appsync Role?

Question

I tried to replace one of the tables in my Appsync API, and now I'm getting this error:

User: arn:aws:sts::164370900240:assumed-role/User-role-likbfqoe4zd3zd7bz5bl2y4z6i-test/APPSYNC_ASSUME_ROLE is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:164370900240:table/User-site-test (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: ...)

I have no idea how to fix this. I don't see an IAM role with that ID. What should I do?

Answer 1

It seems like the IAM role that you assigned to the AppSync data source, that is used by AppSync to call your DynamoDB table on your behalf, has an old policy that gives it permission to the old table but not the new table. To figure out if this is that case, you can go to the AppSync console's data source page, select the data source in question and take note of the name of the role that is assigned to the data source. Once you have the name of the IAM role, go to the the IAM console, select the role, and edit the policy. If the name of the table in the policy does not match that of your new table, then update it.

Another option is to delete the data source from AppSync and then recreate it while telling the console to make a new role for you. The new role will be correctly scoped to the new table automatically when created through the AppSync console.