Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AccessDeniedException when trying to test lambda using the dashboard.

0

Using the CodeStar Python webservice as starting point I have created a lambda function to write data to DynamoDB.

Using "sam local start-api" CLI the tests go well and the items appear on the DynamoDB (checking with the dashboard).

However when I try to test the lambda function from the dashboard (Services > Lambda > Functions > "<MyLambda>" > Test) I get an AccessDeniedException in the form:

"An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::xxx:assumed-role/CodeStar-<myproject>-Execution/awscodestar-<myproject>-lambda-<mylambda> is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-west-2:<mytable>"

Here is part of my modified template.yml:

LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'

Can someone help?

Temas
Herramientas para desarrolladores
Etiquetas
AWS CodeStar
Idioma
English
robsondepaula
preguntada hace 5 años773 visualizaciones
1 Respuesta
0

Turns out that what I was doing wrong was creating the DynamoDB in the dashboard.

Once I deleted it and used the Cloudformation template associated to the CodeStar project to create it as well the lambda started to work.

If someone is having the same difficulty, use the role provided above and make sure the db is also created from template.yml, like below:

...
Resources:
RawRequests:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: TimeStamp
AttributeType: S
KeySchema:
- AttributeName: TimeStamp
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
TableName: RawRequests
...

Cheers

robsondepaula
respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante