User is not authorized to perform: dynamodb:GetItem

0
votes

I've created my api in vercel, which uses aws lambda. In my function, I've used a call to dynamodb in my aws account.

But I keep getting AccessDeniedException.
But, When I run it locally, there is no issue.

AccessDeniedException: User: arn:aws:sts::764717618004:assumed-role/cloudwatch_logs_events_putter/L0ZFqQmkoVXQ44u8QwB1yH0f-805fd9d54732e5470e54bf12bd9a25672e379b5 
is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-south-1:764717618004:table/users

this adresses the issue when both lambda and dynamo are of the same user account.

1
amazon-web-servicesaws-lambdaamazon-dynamodbamazon-iamvercel
Have you given the cloudwatch_logs_events_putter role permissions for dynamodb:GetItem? - hephalump
I can't find any role with that name. I'm new to this. Should I be creating a role in that name? I've already given AmazonDynamoDBFullAccess to the IAM user. - srx
You’ll have to update the policy for the Role, not the User. - hephalump
The role existed because your Lambda had assumed it and STS had issued credentials which are not authorized. If you don’t see the role, is it possible it’s in a different account, or that you don’t have permissions to see it? - hephalump
Sorry, am not familiar with vercel.com; maybe reach out to them for support with cross account permissions. - hephalump

1 Answers

1
votes

Well guess what, after hours of combing through aws documentation I got to the root of the issue. The user: arn:aws:sts::764717618004:assumed-role/ and arn:aws:dynamodb:ap-south-1:764717618004:table/users are the same, which was odd once I thought about it.

Because the aws Id of dynamodb should've been mine, but it's evidently not. So I tried logging the accessKeyId, and to my surprise it was not what I set in the Environment.
Then I just checked out what's in vercel env ls. There was nothing wrong at first sight, but then I noticed a little typo in the DYNAMODB_ACCESS_KYE_ID.

YES IT WAS JUST A TYPO. successfully wasted 6+ hours on a typo in environment variable.