AccessDeniedException when trying to test lambda using the dashboard.

0

Using the CodeStar Python webservice as starting point I have created a lambda function to write data to DynamoDB.

Using "sam local start-api" CLI the tests go well and the items appear on the DynamoDB (checking with the dashboard).

However when I try to test the lambda function from the dashboard (Services > Lambda > Functions > "<MyLambda>" > Test) I get an AccessDeniedException in the form:

"An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::xxx:assumed-role/CodeStar-<myproject>-Execution/awscodestar-<myproject>-lambda-<mylambda> is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-west-2:<mytable>"

Here is part of my modified template.yml:

LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'

Can someone help?

demandé il y a 5 ans840 vues
1 réponse
0

Turns out that what I was doing wrong was creating the DynamoDB in the dashboard.

Once I deleted it and used the Cloudformation template associated to the CodeStar project to create it as well the lambda started to work.

If someone is having the same difficulty, use the role provided above and make sure the db is also created from template.yml, like below:

...
Resources:
RawRequests:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: TimeStamp
AttributeType: S
KeySchema:
- AttributeName: TimeStamp
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
TableName: RawRequests
...

Cheers

répondu il y a 5 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions