Cannot attach Trigger to DynamoDB Table

Question

I'm trying to attach a trigger which will invoke a Lambda function when a dynamoDB table is updated. (Briefly, this is aggregating results from one table to another.)

I get an error:
InvalidParameterValueException: Cannot access stream arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]/stream/[DATETIME]. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.

This occurs both if I try to attach a trigger to the function and point at the table, and if I try to create a new (or attach an existing) function on the table.

In the attached role, I have added an in-line policy:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"dynamodb:GetShardIterator",
				"dynamodb:DescribeStream",
				"dynamodb:GetRecords",
				"dynamodb:ListStreams"
			],
			"Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]//stream/*"
		},
		{
			"Sid": "VisualEditor2",
			"Effect": "Allow",
			"Action": "dynamodb:PutItem",
			"Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE2]"
		}
	]
}

Accepted Answer

Hello.

Will it succeed if I attach "AmazonDynamoDBReadOnlyAccess" to Lambda's IAM role?  
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDynamoDBReadOnlyAccess.html

Also, since "Resource" is "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]//stream/\*", "arn:aws:dynamodb:[LOCATION]:[ACCOUNT] ]:table/[TABLE1]/stream/\*".  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]/stream/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE2]"
        }
    ]
}
```

Cannot attach Trigger to DynamoDB Table

관련 콘텐츠