IAM role not clear for connecting API Gateway and DynamoDB

Question

Doing this tutorial, https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/.

Statement from tutorial:

> Before you proceed, create an AWS Identity and Access Management (IAM) role that has permission to call the DynamoDB API PutItem for the Comments table; this role must have a service trust relationship to API Gateway. For more information on IAM policies and roles, see the Overview of IAM Policies topic.

Question: What specific role should one create in order to allow API gateway test requests to write to DynamoDB?  My tests aren't currently writing.   The role I placed in API Gateway setup looks like this: arn:aws:iam::MYACCOUNTID:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication

Accepted Answer

The trust relationship for this role is for replication.dynamodb.amazonaws.com and not for apigateway.amazonaws.com.

You should go to the IAM console, create a new role, choose API Gateway and later add the appropriate policy to write to DydnamoDB.

Eventually your role should include the following policies:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "dynamodb:PutItem",
                "Resource": "arn:aws:dynamodb:eu-west-1:xxxxxxxx:table/Comments"
            }
        ]
    }

and

{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": "apigateway.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

IAM role not clear for connecting API Gateway and DynamoDB

Relevanter Inhalt