amplify backend issue: lambda cannot access dynamo

Question

lambda shows ` " botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the Scan operation:  User: , is not authorized to perform: dynamodb:Scan on resource:  because no identity-based policy allows the dynamodb:Scan action"`
 constantly, which is because of amplify does not add role policies correctly; once, manually add dynamo full access to the lambda function, the 
`"botocore.errorfactory.ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the Scan operation: Requested resource not found"`

* First I am unable to get around the 2nd error, where the table exists in the dynamo
* Second, what should i modify to allow amplify auto-generate the correct IAM roles

Answer

It seems like you're facing two issues with your AWS Lambda function and DynamoDB setup:

**AccessDeniedException**: This error occurs because the AWS Lambda function does not have the necessary IAM permissions to perform a dynamodb:Scan operation on the DynamoDB table.

**ResourceNotFoundException**: This error occurs when you manually add the DynamoDB full access policy to the Lambda function, but there might be some issues with how the table is referenced or the table doesn't exist in the specified region.

To resolve these issues and allow Amplify to generate the correct IAM roles, please try to follow these next steps.

>

**First Issue:**  AccessDeniedException
To allow your Lambda function to perform a dynamodb:Scan operation, you should configure the correct IAM permissions. Here are the steps to ensure that Amplify generates the correct IAM roles:

1. Amplify Configuration: Make sure your Amplify configuration (amplify/backend/api//stacks/stack-name.json) has the proper permissions set up. You should see a section like this:

```
"Function": {
  "Type": "AWS::Lambda::Function",
  "Properties": {
    ...
    "Policies": [
      {
        "PolicyName": "yourLambdaPolicy",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:Scan",
                ...
              ],
              "Resource": [
                "arn:aws:dynamodb:region:account-id:table/your-table-name"
              ]
            },
            ...
          ]
        }
      }
    ],
    ...
  }
}
```

Ensure that the "Resource" section specifies the correct DynamoDB table ARN. Amplify should generate this automatically, but you can double-check it.

2. Amplify Push: After making changes to your Amplify configuration, run amplify push to update your AWS resources. Amplify should update the IAM roles and permissions as specified in your configuration.

>

**Second Issue**: ResourceNotFoundException
If you still encounter a ResourceNotFoundException after correcting the IAM permissions, make sure of the following:

- Double-check the DynamoDB table name and region in your Lambda code. Ensure that you are specifying the correct table name and that the table exists in the region you are working in.

- Check if there are any typos or discrepancies in your table name, including case sensitivity.

- Verify that the Lambda function and DynamoDB table are in the same AWS region.

Ensure that the table's ARN in the Lambda function's IAM policy matches the actual DynamoDB table's ARN.

>

If you follow these steps and ensure that your Amplify configuration is correctly set up, you should be able to resolve the access issues and allow Amplify to generate the correct IAM roles for your AWS Lambda function and DynamoDB integration.

Please let us know if this worked well for you.

amplify backend issue: lambda cannot access dynamo

Relevant content