- Newest
- Most votes
- Most comments
Hi, you need to update the policy to allow you access to the index as well as the base table. Modify the Resource
part of the policy to include the index:
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod",
"arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod/index/*"
],
"Effect": "Allow"
},
See more here
Hi There.
I understand you are finding issues when you add permissions for a scheduled lambda function to query a DynamoDB table and you are getting an error :
"message":"User: arn:aws:sts::#redacted#:assumed-role/crnLambdaRole0600f8a6-prod/sendReminders-prod is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:#redacted#:table/Request/index/requestsByDate because no identity-based policy allows the dynamodb:Query action"
Please note that for a DynamoDB index, the resource path is different. So you need to add the index path as well in iamRoleStatements.
For example:
{
"Action": [
"dynamodb:GetItem",
"dynamodb:Query"
],
“Resource”:
"arn:aws:dynamodb:${self:provider.region}::table/${self:provider.environment.DYNAMODB_DATA}/index/”,
"Effect": "Allow"
},
For further understanding please refer to the document [1]
Please also note that the following need to be confirmed
Your Lambda function execution role and that you have the necessary permissions for DynamoDB table on AWS Managed policy "AmazonDynamoDBFullAccess" attached to the role.
Then further check you have permissions boundary attached to the role and it only has the table ARN permissions. Because you are querying on the index, you will be adding "arn:aws:dynamodb:${self:provider.region}::table/${self:provider.environment.DYNAMODB_DATA}/index/” to the resource as mentioned in the permissions boundary policy.
I hope you find this information helpful.
=========References==========
[1] https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html
Relevant content
- Accepted Answerasked 2 years ago
- asked 10 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thank you for your answer, both you and Leeroy had the information I needed. I'm accepting Leeroy's answer since it is more succinct.
Thank you, I am happy that you have resolved your issue.