CODEWITHSUNDEEP
amazon-web-servicesamazon-dynamodbamazon-iamamazon-lightsail
ddlkkd
ddlkkd

Reputation: 25

Can't access DynamoDB from a Lightsail instance

I have a Lightsail instance running a simple PHP web portal, and need to access some tables in DynamoDB. If I try using the AWS SDK directly:

$sdk = new Sdk([
    'version' => 'latest',
    'region' => 'ap-southeast-2'
]);

$db_client = $sdk->createDynamoDb()

then I get an access denied error when I make a query:

AccessDeniedException (client): User: arn:aws:sts::xyz:assumed-role/AmazonLightsailInstanceRole/i-xyz is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-southeast-2:xyz:table/tablename

I created an additional IAM role with DynamoDB permissions, but Lightsail isn't listed as a service that I can attach the role to. Nor am I able to see any place on the Lightsail console to attach an IAM role anyway. Additionally, all the docs that I see tell me that you can't modify Lightsail's inbuilt IAM role.

What I am able to do is set up AWS CLI on my Lightsail instance and add my security keys, then I can access DynamoDB from the CLI on my instance. However I have no idea how to let my code use these credentials (I've seen that you can add the credentials in the SDK config, but I obviously don't want my credentials in code. It should look for them in my instance's environment variables, however, and they are definitely there).

Lightsail advertises DynamoDB integration so I know it should work, but I've been pulling my hair out trying to get access. Any ideas?

Thanks.

Upvotes: 0

Views: 1044

Answers (1)

ddlkkd
ddlkkd

Reputation: 25

I managed to get my code to use my AWS CLI credentials in the end. Here's how I solved it.

  1. In code, specified a CredentialProvider so that it would try and use my CLI credentials, rather than defaulting to the IAM role (or I assume this is what it did anyway). Note the ini type to force it to look for a credentials file:
use Aws\Sdk;
use Aws\Credentials\CredentialProvider;

$provider = CredentialProvider::ini();

$sdk = new Sdk([
    'version' => 'latest',
    'region' => 'ap-southeast-2'
    'credentials' => $provider
]);

$db_client = $sdk->createDynamoDb()
  1. Ensured that my credentials were in my ~/.aws/credentials file.
  2. After this, I would get a different error:
CredentialsException: Cannot read credentials from /.aws/credentials

Note that it specified the .aws directory was located in /, not ~/.

  1. Copied my .aws directory to /. Made sure set read permissions with chmod

  2. Success.

Hopefully this helps someone else use this godforsaken service which Amazon has seemingly released without proper documentation.

Upvotes: 1

Related Questions