AccessDeniedException when trying to test lambda using the dashboard.

0

Using the CodeStar Python webservice as starting point I have created a lambda function to write data to DynamoDB.

Using "sam local start-api" CLI the tests go well and the items appear on the DynamoDB (checking with the dashboard).

However when I try to test the lambda function from the dashboard (Services > Lambda > Functions > "<MyLambda>" > Test) I get an AccessDeniedException in the form:

"An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::xxx:assumed-role/CodeStar-<myproject>-Execution/awscodestar-<myproject>-lambda-<mylambda> is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-west-2:<mytable>"

Here is part of my modified template.yml:

LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'

Can someone help?

asked 5 years ago733 views
1 Answer
0

Turns out that what I was doing wrong was creating the DynamoDB in the dashboard.

Once I deleted it and used the Cloudformation template associated to the CodeStar project to create it as well the lambda started to work.

If someone is having the same difficulty, use the role provided above and make sure the db is also created from template.yml, like below:

...
Resources:
RawRequests:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: TimeStamp
AttributeType: S
KeySchema:
- AttributeName: TimeStamp
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
TableName: RawRequests
...

Cheers

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions