Home > database >  AWS Lambda cannot Scan DyanmoDB table even when granted Read & Write permissions
AWS Lambda cannot Scan DyanmoDB table even when granted Read & Write permissions

Time:09-13

My whole solution (infrastructure code and the actual lambda) are all enter image description here

When I check the CloudWatch logs, I can see an error, and the error message says that my lambda does not have permissions to do a Scan on my DynamoDB table! At least that's my understanding of the error message:

2022/09/11 15:32:30 could not scan the dyanmodb table! error: operation error DynamoDB: Scan, https response error StatusCode: 400, RequestID: 8JTBR7LIJ6H6UERR0NSM1U28EBVV4KQNSO5AEMVJF66Q9ASUAAJG, api error AccessDeniedException: User: arn:aws:sts::777650698697:assumed-role/GoTodoAppStack-FunctionServiceRole675BB04A-VIK6COW772H2/GoTodoAppStack-Function76856677-333lC1zqdKCi is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-west-2:777650698697:table/GoTodoAppStack-tasks86073811-5DY3UBZUCHI6 because no identity-based policy allows the dynamodb:Scan action

If you take a close look at the lambda permissions

If I then click the link to the Execution Role associated with the Lambda, I get:

enter image description here

As you can see, it has the right permissions!

CodePudding user response:

The AWS region is different on the error log you provided and on the IAM role. The region on the error is us-west-2 but the region on the role permissions is eu-west-2.

It seems that you hardcoded the region on your lambda handler in /main/api/getitems/handler.go line 31.

CodePudding user response:

Try adding this policy to your lambda role (this is typescript):

handler.addToRolePolicy(new PolicyStatement({ resources: [table.tableArn], actions: ['dynamodb:Scan'] }));

or

table.grant(handler, ['dynamodb:Scan']);
  • Related