CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-dynamodb
jyoung
jyoung

Reputation: 39

AWS Lambda authority error while using dynamoDB at lambda

I'm using AWS Lambda as root account. but when I try to add dynamo-db as trigger in lambda, AWS said some authority errors occurred.

Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions on your stream in IAM.

I'm using root account, why authority error occurred? I want to use root account

Upvotes: 2

Views: 381

Answers (2)

avisek hazra
avisek hazra

Reputation: 96

Lambda functions used execution role to access AWS services and resources, this can be set in the lambda creation wizard or in the cloud formation script

Step 1. Role: !GetAtt DeleteAppConfigurationsLambdaRole.Arn . Details [here][1].

example.

Lets create a Dynamodb Table as below by CFN script with stream enabled.

DynamoDBTable:
Type: 'AWS::DynamoDB::Table'
DeletionPolicy: Retain
Properties:
   AttributeDefinitions:
    -
      AttributeName: "id"
      AttributeType: "S"
   KeySchema:
    -
      AttributeName: "id"
      KeyType: "HASH"
   TableName: DynamoDBTable

   SSESpecification:
      SSEEnabled: true

   StreamSpecification:
      StreamViewType: "NEW_AND_OLD_IMAGES"

Then create a lambda execution role which has access to the stream as below,

DynamoDBStreamLambdaRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Statement:
    - Action:
      - sts:AssumeRole
      Effect: Allow
      Principal:
        Service:
        - lambda.amazonaws.com
    Version: '2012-10-17'
  Path: /
  RoleName:  "IAM-ROLE-DynamoDBStreamLambdaRole"
  Policies:
  - PolicyDocument:
      Statement:
      - Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
        Effect: Allow
        Resource: !GetAtt DynamoDBTable.StreamArn

      Version: '2012-10-17'
    PolicyName: "IAM-POLICY-DynamoDBStreamLambdaStreamaccess"
  ManagedPolicyArns:
    - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

Then you can attach this role to the lambda as described in step 1. [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-role

Upvotes: 0

Marcin
Marcin

Reputation: 238965

i'm using root account, why authority error occurred? i want to use root account

Your functions, uses lambda execute role, your IAM user/root permissions do not apply here. You have to updated the execution role with DyndamoDB permissions.

Upvotes: 1

Related Questions