Sedhu
Reputation: 773
Access Denied Error while inserting into Aws Timestream on Serverless Stack
I'm trying insert a record into my aws timestream table. And its getting resulted in a access denied error.
Here is the permission on serverless.yml
- Effect: Allow
Action:
- timestream:*
Resource:
- arn:aws:timestream:${self:provider.region}:*:database/*
- arn:aws:timestream:${self:provider.region}:*:database/*/*/*
Iam role detail for the lambda.
{
"Action": [
"timestream:*"
],
"Resource": [
"arn:aws:timestream:us-east-1:*:database/*",
"arn:aws:timestream:us-east-1:*:database/*/*/*"
],
"Effect": "Allow"
},
Record Sample
{
"DatabaseName": "developmentreportsdb",
"TableName": "developmenteventstable",
"Records": [
{
"Dimensions": [
{
"Name": "accountId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
},
{
"Name": "userId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
}
],
"MeasureName": "ACCOUNT.NEW",
"MeasureValue": "6921e43e-266c-4adf-8a69-d90bd8743d1b",
"MeasureValueType": "VARCHAR",
"Time": "1644234263813",
"TimeUnit": "MILLISECONDS",
"Version": 1
}
]
}
Error Details:
Error writing records: AccessDeniedException: User: arn:aws:sts::344128203239:assumed-role/development-us-east-1-lambdaRole/development-worker is not authorized to perform: timestream:DescribeEndpoints because no identity-based policy allows the timestream:DescribeEndpoints action
TIA. What is missing here?
Upvotes: 1
Views: 2131
Answers (1)
Pawan Kumar
Reputation: 66
Describe endpoint permission is required to resolve the endpoint where timestream SDK has to connect. It is required for both read and write access.
Following example for a policy where only read access is permitted to the user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "timestream:Select",
"Resource": "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
Here is an example minimum permissions required of only write access to the user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
Here is an example where user has both permissions (Read + Write)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords",
"timestream:Select"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
Upvotes: 5
Related Questions
- Role is not authorized to perform DescribeStream on KinesisStream
- Insert into AWS Timestream using API
- AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed."
- AWS S3 & Serverless - Access Denied when using PUT presigned URL
- AWS Timestream: Unable to ingest records into AWS Timestream
- serverless s3 upload access denied
- Log Stream Not creating when i run lambda using serverless
- Serverless: sqs:CreateQueue Access ... denied
- CloudFormation Lambda S3 bucket access denied
- CloudFormation, Lambda, S3 - Access denied by s3