How do you add permission for a scheduled lambda function to query a DynamoDB table?

Question

In my amplify application I need a lambda function to execute once a day and query a Database table for records matching certain criteria and send an e-mail if they are found.

I added a secondary index in my graphql schema with the fields I wanted to use. I then generated a lambda function with amplify and added this statement to the execution policy:

```
      {
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Query"
            ],
            "Resource": "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod",
            "Effect": "Allow"
        },
```

I can see the permissions in the created role but when I test the function I get the following error message:
```
"message":"User: arn:aws:sts::#redacted#:assumed-role/crnLambdaRole0600f8a6-prod/sendReminders-prod is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:#redacted#:table/Request/index/requestsByDate because no identity-based policy allows the dynamodb:Query action"
```
How do I go about granting the correct permissions to my lambda function or is there some other reason I might get this error?

Accepted Answer

Hi, you need to update the policy to allow you access to the index as well as the base table. Modify the `Resource` part of the policy to include the index:

```
      {
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:Query"
            ],
            "Resource": [
               "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod",
               "arn:aws:dynamodb:us-west-1:#redacted#:table/Request-#redacted#-prod/index/*"
             ],
            "Effect": "Allow"
        },
```

See more [here](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/iam-policy-specific-table-indexes.html)

Answer

Hi There.

I understand you are finding issues when you add permissions for a scheduled lambda function to query a DynamoDB table  and you are getting an error :

"message":"User: arn:aws:sts::#redacted#:assumed-role/crnLambdaRole0600f8a6-prod/sendReminders-prod is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:#redacted#:table/Request/index/requestsByDate because no identity-based policy allows the dynamodb:Query action"

Please note that for a DynamoDB index, the resource path is different. So you need to add the index path as well in iamRoleStatements.

For example:

{

"Action": [

"dynamodb:GetItem",

"dynamodb:Query"

],

“Resource”:

"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}/index/*”,

"Effect": "Allow"

},

For further understanding please refer to the document [1]

Please also note that the following need to be confirmed

Your Lambda function execution role and that you have the necessary permissions for DynamoDB table on AWS Managed policy "AmazonDynamoDBFullAccess" attached to the role.

Then further check you have permissions boundary attached to the role and it only has the table ARN permissions. Because you are querying on the index, you will be adding "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}/index/*” to the resource as mentioned in the permissions boundary policy.

I hope you find this information helpful.

=========References==========

[1] https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/using-identity-based-policies.html

How do you add permission for a scheduled lambda function to query a DynamoDB table?

Relevant content