Hi,
My setup includes an iam role statement to interact with DynamoDB:
iamRoleStatements:
- Effect: "Allow"
Action:
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
Resource: "*"
- Effect: Allow
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}"
And yet, here we are:
AccessDeniedException: User: arn:aws:sts::947426108344:assumed-role/keyless-dev-ap-southeast-2-lambdaRole/keyless-dev-logsList is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:ap-southeast-2:947426108344:table/dev-keyless-data/index/type-created_at-index
I expanded permissions on the serverless role to include any dynamodb action on any table for the sake of conversation. Now I’m receiving the message:
“User is not authorized to access this resource”
With further header information:
x-amzn-errortype:AccessDeniedException
x-amzn-requestid:ecd5cd60-f374-11e7-82e6-37d492e392d3
x-cache:Error from cloudfront
My setup includes a domain name using serverless-domain-manager plugin. It doesn’t seem to reach my authenticator functions as the cloud watch logs are empty.
This happens in 90% of the cases. Sometimes, it goes through. Right now it succeeds on my /logs endpoint but not on my /users endpoint, though setup is identical. On redeploy, /logs fails but /users succeeds.
I’m in over my head here. I can’t even find cloudfront logs.