IAM role not clear for connecting API Gateway and DynamoDB

0

Doing this tutorial, https://aws.amazon.com/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/.

Statement from tutorial:

Before you proceed, create an AWS Identity and Access Management (IAM) role that has permission to call the DynamoDB API PutItem for the Comments table; this role must have a service trust relationship to API Gateway. For more information on IAM policies and roles, see the Overview of IAM Policies topic.

Question: What specific role should one create in order to allow API gateway test requests to write to DynamoDB? My tests aren't currently writing. The role I placed in API Gateway setup looks like this: arn:aws:iam::MYACCOUNTID:role/aws-service-role/replication.dynamodb.amazonaws.com/AWSServiceRoleForDynamoDBReplication

1 Answer
0
Accepted Answer

The trust relationship for this role is for replication.dynamodb.amazonaws.com and not for apigateway.amazonaws.com.

You should go to the IAM console, create a new role, choose API Gateway and later add the appropriate policy to write to DydnamoDB.

Eventually your role should include the following policies:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:eu-west-1:xxxxxxxx:table/Comments"
        }
    ]
}

and

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
profile picture
EXPERT
Uri
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions