By using AWS re:Post, you agree to the Terms of Use
/How do you add permission for a scheduled lambda function to query a DynamoDB table?/

How do you add permission for a scheduled lambda function to query a DynamoDB table?

0

In my amplify application I need a lambda function to execute once a day and query a Database table for records matching certain criteria and send an e-mail if they are found.

I added a secondary index in my graphql schema with the fields I wanted to use. I then generated a lambda function with amplify and added this statement to the execution policy:

      {
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Query"
            ],
            "Resource": "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod",
            "Effect": "Allow"
        },

I can see the permissions in the created role but when I test the function I get the following error message:

"message":"User: arn:aws:sts::#redacted#:assumed-role/crnLambdaRole0600f8a6-prod/sendReminders-prod is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:#redacted#:table/Request/index/requestsByDate because no identity-based policy allows the dynamodb:Query action"

How do I go about granting the correct permissions to my lambda function or is there some other reason I might get this error?

2 Answers
2
Accepted Answer

Hi, you need to update the policy to allow you access to the index as well as the base table. Modify the Resource part of the policy to include the index:

      {
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Query"
            ],
            "Resource": [
               "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod",
               "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod/index/*"
             ],
            "Effect": "Allow"
        },

See more here

answered 18 days ago
1

Hi There.

I understand you are finding issues when you add permissions for a scheduled lambda function to query a DynamoDB table and you are getting an error :

"message":"User: arn:aws:sts::#redacted#:assumed-role/crnLambdaRole0600f8a6-prod/sendReminders-prod is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:#redacted#:table/Request/index/requestsByDate because no identity-based policy allows the dynamodb:Query action"

Please note that for a DynamoDB index, the resource path is different. So you need to add the index path as well in iamRoleStatements.

For example:

{

        "Action": [

            "dynamodb:GetItem",

            "dynamodb:Query"

        ],

    “Resource”: 

"arn:aws:dynamodb:${self:provider.region}::table/${self:provider.environment.DYNAMODB_DATA}/index/”,

        "Effect": "Allow"

    },

For further understanding please refer to the document [1]

Please also note that the following need to be confirmed

Your Lambda function execution role and that you have the necessary permissions for DynamoDB table on AWS Managed policy "AmazonDynamoDBFullAccess" attached to the role.

Then further check you have permissions boundary attached to the role and it only has the table ARN permissions. Because you are querying on the index, you will be adding "arn:aws:dynamodb:${self:provider.region}::table/${self:provider.environment.DYNAMODB_DATA}/index/” to the resource as mentioned in the permissions boundary policy.

I hope you find this information helpful.

=========References==========

[1] https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html

answered 18 days ago
  • Thank you for your answer, both you and Leeroy had the information I needed. I'm accepting Leeroy's answer since it is more succinct.

  • Thank you, I am happy that you have resolved your issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions