i have deployed a aws lambda app that uses dynamodb but when i run the lambda fuction i am getting following errors
START RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Version: $LATEST
2021-12-20T06:32:08.533Z 325ce8ea-ed86-404c-8756-ee46dbefae35 ERROR query-error: AccessDeniedException: User: arn:aws:sts::579450367668:assumed-role/lead-management-app-dev-eu-west-1-lambdaRole/lead-management-app-dev-submitLeadForm is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index
END RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35
REPORT RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Duration: 14.83 ms Billed Duration: 15 ms Memory Size: 1024 MB Max Memory Used: 81 MB
how can i solve this issue ?
I am attching my serverless.ts below
/* eslint no-use-before-define: 0 */
import type { AWS } from "@serverless/typescript";
// DynamoDB
import dynamoDbTables from "./resources/dynamodb-tables";
// Functions
import functions from "./resources/functions";
const serverlessConfiguration: AWS = {
service: "lead-management-app",
frameworkVersion: "2",
custom: {
region: "${opt:region, self:provider.region}",
stage: "${opt:stage, self:provider.stage}",
prefix: "${self:service}-${self:custom.stage}",
lead_table: "${self:service}-leads-${opt:stage, self:provider.stage}",
interest_table:
"${self:service}-interests-${opt:stage, self:provider.stage}",
table_throughputs: {
prod: 5,
default: 1,
},
table_throughput:
"${self:custom.table_throughputs.${self:custom.stage}, self:custom.table_throughputs.default}",
dynamodb: {
stages: ["dev"],
start: {
port: 8008,
inMemory: true,
heapInitial: "200m",
heapMax: "1g",
migrate: true,
seed: true,
convertEmptyValues: true,
// Uncomment only if you already have a DynamoDB running locally
// noStart: true
},
},
["serverless-offline"]: {
httpPort: 3000,
babelOptions: {
presets: ["env"],
},
},
profile: {
prod: "prodAccount",
dev: "devAccount",
},
},
plugins: [
"serverless-bundle",
"serverless-dynamodb-local",
"serverless-offline",
"serverless-dotenv-plugin",
],
provider: {
name: "aws",
runtime: "nodejs14.x",
stage: "dev",
region: "ap-south-1",
apiGateway: {
minimumCompressionSize: 1024,
shouldStartNameWithService: true,
},
environment: {
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
NODE_OPTIONS: "--enable-source-maps --stack-trace-limit=1000",
REGION: "${self:custom.region}",
STAGE: "${self:custom.stage}",
LEADS_TABLE: "${self:custom.lead_table}",
INTERESTS_TABLE: "${self:custom.interest_table}",
},
iamRoleStatements: [
{
Effect: "Allow",
Action: [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
],
Resource: [
{ "Fn::GetAtt": ["LeadsTable", "Arn"] },
{ "Fn::GetAtt": ["InterestsTable", "Arn"] },
],
},
],
profile: "${self:custom.profile.${self:custom.stage}}",
lambdaHashingVersion: "20201221",
},
// import the function via paths
functions,
package: { individually: true },
resources: {
Resources: dynamoDbTables,
},
};
module.exports = serverlessConfiguration;
can this be solved through the app or should i grant the permission form aws console?
are there any recommended permission list that i should grant ?
CodePudding user response:
You will need to attach the following permission (at least, and probably more) to the role lead-management-app-dev-eu-west-1-lambdaRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index",
"Effect": "Allow"
}
]
}
If you're doing this within the AWS console, you can locate the Execution role within Permissions/Configuration for the Lambda function.
CodePudding user response:
The role assumed by your lambda function does not have required permissions to access the Dynamo Db table. To solve this, you need to attach the appropriate policy to your lambda function role.
This page contains a policy that grants Read/Write access to your lambda function.