Home > Software engineering >  AWS Lambda doesn't have DynamoDB permissions when invoked by URL/API Gateway
AWS Lambda doesn't have DynamoDB permissions when invoked by URL/API Gateway

Time:07-13

We have a pair of existing AWS Lambda functions that read/write from a DynamoDB table. I created a new function and table; the function is very basic, just does a putItem on the DynamoDB table. I can successfully invoke it with the test functionality in Lambda. However, if I invoke the Lambda function using the FunctionURL or via API Gateway, I get the following error. Logs

Yet in Configuration > Permissions in the Lambda interface I clearly see the permission: Lambda Config

Suggestions where to check next? Comparison to our existing, working functions hasn't revealed anything; everything I have checked in configured the same.

Thanks!

CodePudding user response:

When you invoke the lambda function in the lambda console, lambda is using an Execution role.

When you invoke the lambda function via API gateway or via the function URL, it is likely that you are using IAM authorization. As a result, lambda is using the role of the principal who invoked the function (in this case, PatientWellnessDeregistration-role-3ospc0u3).

The execution role is configured correctly, but the IAM role of the principal is lacking the required permissions.

Further reading:

https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html

CodePudding user response:

What you could optionally check is that API Gateway is authorized to call your new Lambda. If so, then the Resource-based policy of the Lambda (still in the Permissions tab) should have something similar to:

Resource-based policy example:

Resource-based policy example

  • Related