Reputation: 553
AWS Lambda - (AccessDeniedException) when calling the Scan operation User is not authorized to perform: dynamodb: Scan
I try to access dynamodb via boto3 (Python) in AWS. Got this working on my local machine. As I understand in AWS running, it just uses IAM roles to get access. But it does not work.
Lambda execution failed with status 200 due to customer function error: An error occurred (AccessDeniedException) when calling the Scan operation:
User: arn:aws:sts::021517822274:assumed-role/CodeStar-tt-api-subjects-Execution/
awscodestar-tt-api-subjects-lambda-HelloWorld is not authorized to perform: dynamodb:
Scan on resource: arn:aws:dynamodb:us-east-1:021517822274:table/tt-subjects.
Quite the same question was send here:
And I applied the suggested AmazonDynamoDBFullAccess policy. Tried also those:
My own added policy (in addition) is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Action": [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": "*"
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/tt-subjects"
}
]
}
But I still got the same error.
Does it take a long time to apply the policies or what may still cause that?
Upvotes: 1
Views: 4895
Answers (1)
Reputation: 553
Now I found the answer. As I created my lambda with codestar, it also created a permission boundary.
How to solve this issue:
- remove the boundary (not recommended)
- extend the boundary, like this:
Edit the boundary of your lambda:
- Open console for Lambda
- Go to tab configuration
- In Execution Role, open the link to your role
- Now you are in IAM role editor. Scroll down to Permission boundary
- Copy that name (there is no link)
- Go in IAM menu to Policies
- Search for the copied name
- Edit (extend) the policy.
In my case regarding dynamodb, I scrolled down to sid 6 (might differ for you). It is an Allow block with many simple entries and a * as resource.
So I extended this block with dynamodb entries. Now it looks like this:
...
{
"Sid": "6",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"ec2:Describe*",
"lambda:ListFunctions",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:PutLogEvents",
"sns:Get*",
"sns:List*",
"sns:Publish",
"sns:Subscribe",
"xray:Put*",
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem",
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": [
"*"
]
},
...
Many thanks to the contributors helped me!
Upvotes: 2
Related Questions
- AWS Lambda cannot Scan DyanmoDB table even when granted Read & Write permissions
- How to solve (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."?
- AWS Lambda authority error while using dynamoDB at lambda
- Not authorized to perform: dynamodb:Scan Lambda
- Lambda is not authorized to perform: dynamodb:GetItem
- User is not authorized to perform: dynamodb:GetItem
- User is not authorized to perform: dynamodb:Query on resource error when accessing db from local lambda function
- How to fix not authorized to perform: dynamodb:Scan error
- Lambda and DynamoDB : is not authorized to perform: dynamodb:Scan
- Getting error while accessing AWS DynamoDB from AWS Lambda