My whole solution (infrastructure code and the actual lambda) are all

When I check the CloudWatch logs, I can see an error, and the error message says that my lambda does not have permissions to do a Scan on my DynamoDB table! At least that's my understanding of the error message:

2022/09/11 15:32:30 could not scan the dyanmodb table! error: operation error DynamoDB: Scan, https response error StatusCode: 400, RequestID: 8JTBR7LIJ6H6UERR0NSM1U28EBVV4KQNSO5AEMVJF66Q9ASUAAJG, api error AccessDeniedException: User: arn:aws:sts::777650698697:assumed-role/GoTodoAppStack-FunctionServiceRole675BB04A-VIK6COW772H2/GoTodoAppStack-Function76856677-333lC1zqdKCi is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-west-2:777650698697:table/GoTodoAppStack-tasks86073811-5DY3UBZUCHI6 because no identity-based policy allows the dynamodb:Scan action

If you take a close look at the

If I then click the link to the Execution Role associated with the Lambda, I get:

As you can see, it has the right permissions!

CodePudding user response：

The AWS region is different on the error log you provided and on the IAM role. The region on the error is us-west-2 but the region on the role permissions is eu-west-2.

It seems that you hardcoded the region on your lambda handler in /main/api/getitems/handler.go line 31.

CodePudding user response：

Try adding this policy to your lambda role (this is typescript):

handler.addToRolePolicy(new PolicyStatement({ resources: [table.tableArn], actions: ['dynamodb:Scan'] }));

or

table.grant(handler, ['dynamodb:Scan']);