User is not authorized to perform: dynamodb:Query on resource error when accessing db from local lambda function

0
votes

I am trying to run a newly created lambda function using SAM template with run time node.js locally. I have the following :

a) aws account with region, accessKeyId & secretAccessKey b) aws-cli, aws-sam, docker

Running lambda function locally using sam local invoke is fine, but the problem is when i used to connect to dynamodb in my function, getting the below error.

{"message":"User: arn:aws:iam::*********:user/test.user is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-2:********:table/my_table with an explicit deny","code":"AccessDeniedException","time":"2020-08-30T07:45:51.678Z","requestId":"7SIBTHTKDSSDJNSTLNUSSBHDNDHBSMVJF66Q9ASUAAJG","statusCode":400,"retryable":false,"retryDelay":40.84164538820391}

I have access to aws account and has accessKeyId & secretAccessKey and able to query when trying from aws console. In vscode editor, installed aws-toolkit and added the credentials, but still i am getting the same error in local.

Can somebody help me with this issue as i am going through a difficult situation in finding the solution. Here is my code snippet.

let response;
const AWS = require('aws-sdk');
AWS.config.update({
    region: "us-west-2",
    accessKeyId: '************',
    secretAccessKey: '********************'
});
const dbClient = new AWS.DynamoDB.DocumentClient();


exports.lambdaHandler = async (event, context) => {
    try {

        let myTable = await getData(event.myId);
        response = {
            'statusCode': 200,
            'body': JSON.stringify({
                message: myTable 
            })
        }
    } catch (err) {
        console.log(err);
        return err;
    }
    return response
};


const MY_TABLE_NAME = "my_table";

const getData = async (myId) => {
    const params = {
        TableName: MY_TABLE_NAME ,
        KeyConditionExpression: "#uid = :id",
        ExpressionAttributeValues: {
            ':id': myId
        },
        ExpressionAttributeNames: {
            '#uid': 'userID'
        }
    };

    let { Count, Items } = await dbClient.query(params).promise();
    if (Items.length == 0) {
        return false;
    } else {
        var obj = {
            Name: (Count > 0) ? Items[0].name : null,
            MY_TABLE: MY_TABLE
        };
        return obj;
    }
};

template.yaml

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function # More info 
    Properties:
      CodeUri: hello-world/
      Handler: app.lambdaHandler
      Runtime: nodejs12.x
      Policies: AmazonDynamoDBFullAccess
      Events:
        HelloWorld:
          Type: Api # More info
          Properties:
            Path: /hello
            Method: get

Any help would be really appreciated. Thanks in advance.

1
amazon-web-servicesaws-lambdaamazon-dynamodbamazon-iam
@smcstewart Could you please have a look into this? - Vishnu
Are you sure you've used test.user credentials in the console? There is an explicit deny for that user, so it will not work at all for that user. It should not matter if console was used or not. - Marcin
@Marcin yes from my user account i was able to query and run lambda function in aws console. - Vishnu

1 Answers

1
votes

The reason why i am getting user not authorized error was beacuase i donot have programmatic access, and only authorized to access aws console access.

Thanks