使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Cannot attach Trigger to DynamoDB Table

0

I'm trying to attach a trigger which will invoke a Lambda function when a dynamoDB table is updated. (Briefly, this is aggregating results from one table to another.)

I get an error: InvalidParameterValueException: Cannot access stream arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]/stream/[DATETIME]. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.

This occurs both if I try to attach a trigger to the function and point at the table, and if I try to create a new (or attach an existing) function on the table.

In the attached role, I have added an in-line policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "dynamodb:GetShardIterator", "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:ListStreams" ], "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]//stream/*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE2]" } ] }

主題
無伺服器運算資料庫安全性、身分識別與合規
標籤
AWS LambdaAmazon DynamoDBIAM 政策
語言
English
CharlieM
已提問 2 個月前檢視次數 143 次
1 個回答
1
已接受的答案

Hello.

Will it succeed if I attach "AmazonDynamoDBReadOnlyAccess" to Lambda's IAM role?
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDynamoDBReadOnlyAccess.html

Also, since "Resource" is "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]//stream/*", "arn:aws:dynamodb:[LOCATION]:[ACCOUNT] ]:table/[TABLE1]/stream/*".

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE1]/stream/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:[LOCATION]:[ACCOUNT]:table/[TABLE2]"
        }
    ]
}
profile picture
專家
Riku_Kobayashi
已回答 2 個月前
profile picture
專家
Oleksii Bebych
已審閱 2 個月前
profile picture
專家
Gary Mclean
已審閱 2 個月前
  • CharlieM
    2 個月前

    Thank you, the // was the issue that was causing the trigger to not be set up.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容