Home > front end >  InvalidParameterValueException: Cannot access stream
InvalidParameterValueException: Cannot access stream

Time:11-18

I am trying to create a dynamodb table and lambda trigger using Terraform. This is how I define the table, role policy and lambda trigger:

resource "aws_dynamodb_table" "filenames" {
  name           = local.dynamodb_table_filenames
  billing_mode   = "PROVISIONED"
  read_capacity  = 1000
  write_capacity = 1000
  hash_key       = "filename"
  stream_enabled = true
  stream_view_type = "NEW_IMAGE"

  #range_key      = ""

  attribute {
    name = "filename"
    type = "S"
  }

  tags = var.tags
}

resource "aws_iam_role_policy" "dynamodb_policy" {
  policy = jsonencode(
  {
    Version: "2012-10-17",
    Statement: [
      {
        Action: [
          "dynamodb:GetItem",
          "dynamodb:PutItem",
          "dynamodb:UpdateItem",
          "dynamodb:Query",
          "dynamodb:GetRecords",
          "dynamodb:GetShardIterator",
          "dynamodb:DescribeStream",
          "dynamodb:ListShards",
          "dynamodb:ListStreams",
        ],
        Effect: "Allow",
        Resource: aws_dynamodb_table.filenames.arn
      }
    ]
  }
  )
  role = aws_iam_role.processing_lambda_role.id
}

resource "aws_lambda_event_source_mapping" "allow_dynamodb_table_to_trigger_lambda" {
  event_source_arn  = aws_dynamodb_table.filenames.stream_arn
  function_name     = aws_lambda_function.trigger_stepfunction_lambda.arn
  starting_position = "LATEST"
}

I am getting this error even though I have already added the relevant policies added in the role:

error creating Lambda Event Source Mapping (arn:aws:dynamodb:eu-central-12:table/tablename/stream): InvalidParameterValueException: Cannot access stream arn:aws:dynamodb:eu-central-1:299093934558:table/4tablename/stream. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions on your stream in IAM.

How can I fix this?

CodePudding user response:

The stream actions apply to streams, not to tables. The ARN for stream has the form of:

arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}

Thus, you should use (or something equivalent):

Resource: "${aws_dynamodb_table.filenames.arn}/stream/*"

or more general:

Resource: "${aws_dynamodb_table.filenames.arn}/*"
  • Related