Home > Software engineering >  AWS Lambda Deployment - AccessDeniedException
AWS Lambda Deployment - AccessDeniedException

Time:12-21

i have deployed a aws lambda app that uses dynamodb but when i run the lambda fuction i am getting following errors

START RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Version: $LATEST
2021-12-20T06:32:08.533Z    325ce8ea-ed86-404c-8756-ee46dbefae35    ERROR   query-error: AccessDeniedException: User: arn:aws:sts::579450367668:assumed-role/lead-management-app-dev-eu-west-1-lambdaRole/lead-management-app-dev-submitLeadForm is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index
END RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35
REPORT RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35  Duration: 14.83 ms  Billed Duration: 15 ms  Memory Size: 1024 MB    Max Memory Used: 81 MB  

how can i solve this issue ?

I am attching my serverless.ts below

   /* eslint no-use-before-define: 0 */
    
    import type { AWS } from "@serverless/typescript";
    
    // DynamoDB
    import dynamoDbTables from "./resources/dynamodb-tables";
    
    // Functions
    import functions from "./resources/functions";
    
    const serverlessConfiguration: AWS = {
      service: "lead-management-app",
      frameworkVersion: "2",
      custom: {
        region: "${opt:region, self:provider.region}",
        stage: "${opt:stage, self:provider.stage}",
        prefix: "${self:service}-${self:custom.stage}",
        lead_table: "${self:service}-leads-${opt:stage, self:provider.stage}",
        interest_table:
          "${self:service}-interests-${opt:stage, self:provider.stage}",
        table_throughputs: {
          prod: 5,
          default: 1,
        },
        table_throughput:
          "${self:custom.table_throughputs.${self:custom.stage}, self:custom.table_throughputs.default}",
        dynamodb: {
          stages: ["dev"],
          start: {
            port: 8008,
            inMemory: true,
            heapInitial: "200m",
            heapMax: "1g",
            migrate: true,
            seed: true,
            convertEmptyValues: true,
            // Uncomment only if you already have a DynamoDB running locally
            // noStart: true
          },
        },
        ["serverless-offline"]: {
          httpPort: 3000,
          babelOptions: {
            presets: ["env"],
          },
        },
        profile: {
          prod: "prodAccount",
          dev: "devAccount",
        },
      },
      plugins: [
        "serverless-bundle",
        "serverless-dynamodb-local",
        "serverless-offline",
        "serverless-dotenv-plugin",
      ],
      provider: {
        name: "aws",
        runtime: "nodejs14.x",
        stage: "dev",
        region: "ap-south-1",
        apiGateway: {
          minimumCompressionSize: 1024,
          shouldStartNameWithService: true,
        },
        environment: {
          AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
          NODE_OPTIONS: "--enable-source-maps --stack-trace-limit=1000",
          REGION: "${self:custom.region}",
          STAGE: "${self:custom.stage}",
          LEADS_TABLE: "${self:custom.lead_table}",
          INTERESTS_TABLE: "${self:custom.interest_table}",
        },
        iamRoleStatements: [
          {
            Effect: "Allow",
            Action: [
              "dynamodb:DescribeTable",
              "dynamodb:Query",
              "dynamodb:Scan",
              "dynamodb:GetItem",
              "dynamodb:PutItem",
              "dynamodb:UpdateItem",
              "dynamodb:DeleteItem",
            ],
            Resource: [
              { "Fn::GetAtt": ["LeadsTable", "Arn"] },
              { "Fn::GetAtt": ["InterestsTable", "Arn"] },
            ],
          },
        ],
        profile: "${self:custom.profile.${self:custom.stage}}",
        lambdaHashingVersion: "20201221",
      },
      // import the function via paths
      functions,
      package: { individually: true },
      resources: {
        Resources: dynamoDbTables,
      },
    };
    
    module.exports = serverlessConfiguration;

can this be solved through the app or should i grant the permission form aws console?

are there any recommended permission list that i should grant ?

CodePudding user response:

You will need to attach the following permission (at least, and probably more) to the role lead-management-app-dev-eu-west-1-lambdaRole:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query"
            ],
            "Resource": "arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index",
            "Effect": "Allow"
        }
    ]
}

If you're doing this within the AWS console, you can locate the Execution role within Permissions/Configuration for the Lambda function.

CodePudding user response:

The role assumed by your lambda function does not have required permissions to access the Dynamo Db table. To solve this, you need to attach the appropriate policy to your lambda function role.

This page contains a policy that grants Read/Write access to your lambda function.

  • Related