AccessDenied on DynamoDB GSI Index
Asked Answered
R

4

20

I've wrote a serverless.yml to deploy some lambdas and I'm using GSI in a specific API.

If I run locally using serverless-offline, it's working but I'm facing an error when deploy the lambda:

AccessDeniedException: User: arn:aws:sts::408462944160:assumed-role/telecom-integration-dev-us-east-1-lambdaRole/integration-dev-dialerStatistics 
is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:408462944160:table/integration-dialer-dev/index/other_dial_status-index

Here is how I've created serverless.yml

 iamRoleStatements:
   - Effect: Allow
     Action:
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem 
    Resource:        
    - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }


dialerStatistics:
  handler: integration/dialer.statistics
  description: Import data on dialer.
  memorySize: 256
  timeout: 30
  events:
    - http:
        path: dialer-statistics
        method: get
        cors: false
        private: false  


DialerDynamoDbTable:
  Type: 'AWS::DynamoDB::Table'
  DeletionPolicy: ${self:provider.environment.DELETION_POLICY}
  # DeletionPolicy: Delete # Useful for recreating environment in dev
  Properties:
    AttributeDefinitions:
      -
        AttributeName: "id"
        AttributeType: "S"
      -
        AttributeName: "dial_status"
        AttributeType: "S"
    KeySchema:
      -
        AttributeName: "id"
        KeyType: "HASH"
    ProvisionedThroughput:
      ReadCapacityUnits: 1
      WriteCapacityUnits: 1
    TableName: ${self:provider.environment.DIALER_TABLE}  
    GlobalSecondaryIndexes:
    - IndexName: "other_dial_status-index"
      KeySchema:
      - AttributeName: "dial_status"
        KeyType: HASH
      Projection:
        ProjectionType: "ALL"
      ProvisionedThroughput:
        ReadCapacityUnits: '20'
        WriteCapacityUnits: '20'

Probably it's missing some permission on iAmRoleStatements but I'm not sure what else should I do.

Rubbish answered 26/7, 2018 at 11:31 Comment(0)
S
39

Your IAM role does not cover the indexes. Try to add them in the role's ressources:

iamRoleStatements:
   - Effect: Allow
     Action:
       - dynamodb:Query
       - dynamodb:Scan
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:UpdateItem
       - dynamodb:DeleteItem 
     Resource:        
       - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
       - Fn::Join:
         - "/"
         -
           - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
           - "index/*"

For reference, the Fn::Join will append /index/* to DialerDynamoDbTable's ARN.

It worked locally because Serverless uses the "admin" IAM user you configured it with.

Sogdian answered 26/7, 2018 at 14:36 Comment(9)
I got an error: "bad indentation of a sequence entry in file line 60, column 60: ... "DialerDynamoDbTable", "Arn" ] }/index/* " What is the correct syntax? Im super newbie on serverlessRubbish
I updated the code with a correct indentation. My bad.Sogdian
Sorry I'm a bit tired. Values should be joined with the Fn::Join function. I updated (and tested) my code.Sogdian
Deploying it! Is possible to check the result of Fn::Join? Just curiousRubbish
CloudFormation will evaluate the join when deploying the stack. It's not serverless job to do it, so you won't be able to see it there. But you can see it in AWS IAM -> Roles. Also, you can guess what it will be by reading the documentation: docs.aws.amazon.com/fr_fr/AWSCloudFormation/latest/UserGuide/…Sogdian
Let us continue this discussion in chat.Sogdian
It's working. Thank you very much, i own you a beer. ;DRubbish
@jah is it now ? :pSogdian
@quentinhayot No, the second dash has an indention on paste. Maybe thats SO formatting. Still thank you a lot ! :)Cathleencathlene
S
7
Resource: 
    - arn:aws:dynamodb:*:*:table/${self:custom.myTable}
    - arn:aws:dynamodb:*:*:table/${self:custom.myTable}/index/*
Shrub answered 2/9, 2020 at 1:19 Comment(0)
C
1

for those in search of cloud formation

  PolicyDocument:
    Version: 2012-10-17
    Statement:
    - Effect: Allow
      Action:
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:DeleteItem
        - dynamodb:UpdateItem
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:BatchGetItem
        - dynamodb:BatchWriteItem
      Resource: [!GetAtt DialerDynamoDbTable.Arn, !Join [ '/',[!GetAtt DialerDynamoDbTable.Arn,index/*]]]
Cleavage answered 8/1, 2019 at 2:19 Comment(0)
H
0

Need to add that Index in IAM>>Roles

arn:aws:dynamodb:::table/${self:custom.myTable}/index/*

Horodko answered 18/4 at 11:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.