Unable to Query DynamoDB Table from Lambda Function

0
votes

Receive the error when executing a Lambda function:

"AccessDeniedException: User: arn:aws:sts::342213474092:assumed-role/testServerlessStack-ExecRole-YZCIWMHK86D8/testServerlessStack-GetFailureKeysByOrder-OR3YS1NLQY0M is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-2:342213474092:table/Bar"

The function's execution role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-2:342213474092:table/Foo/*",
                "arn:aws:dynamodb:us-east-2:342213474092:table/Bar/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The Lambda queries Foo then scans Bar.

1
aws-lambdaamazon-dynamodbamazon-cloudformation
It looks like you have different account numbers in the permissions (dynamodb table ARNs), is that intentional?Chris D'Englere
They match. All the resources (Lambda and DynamoDB tables) are in the same account.Adam
I think the problem is in my resource specification, but I can't find docs on that piece of the IAM permission.Adam

1 Answers

1
votes

According to the docs, the resources should be formatted as:

To query a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

The same goes for scan:

To scan a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

Have you tried changing the resources to:

"Resource": [
            "arn:aws:dynamodb:us-east-2:342213474092:table/Foo",
            "arn:aws:dynamodb:us-east-2:342213474092:table/Bar"
        ],

Docs here: DynamoDB API permissions

Based on your last comment, this should work for you:

arn:aws:dynamodb:region:account-id:table/*/index/*