AWS and DynamoDB permissions: "User is not authorized to access this resource"

aws

#1

Hi,

My setup includes an iam role statement to interact with DynamoDB:

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ec2:CreateNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "ec2:DeleteNetworkInterface"
      Resource: "*"
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}"

And yet, here we are:

AccessDeniedException: User: arn:aws:sts::947426108344:assumed-role/keyless-dev-ap-southeast-2-lambdaRole/keyless-dev-logsList is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:ap-southeast-2:947426108344:table/dev-keyless-data/index/type-created_at-index

I expanded permissions on the serverless role to include any dynamodb action on any table for the sake of conversation. Now I’m receiving the message:

“User is not authorized to access this resource”

With further header information:

x-amzn-errortype:AccessDeniedException
x-amzn-requestid:ecd5cd60-f374-11e7-82e6-37d492e392d3
x-cache:Error from cloudfront

My setup includes a domain name using serverless-domain-manager plugin. It doesn’t seem to reach my authenticator functions as the cloud watch logs are empty.

This happens in 90% of the cases. Sometimes, it goes through. Right now it succeeds on my /logs endpoint but not on my /users endpoint, though setup is identical. On redeploy, /logs fails but /users succeeds.

I’m in over my head here. I can’t even find cloudfront logs.


#2

For DynamoDB index, the resource path is different. So you need to add the index path as well in iamRoleStatements. For example:

(By the way, I don’t think you need to GetItem/PutItem/UpdateItem/DeleteItem index. If this is the case, you can add these permissions back easily)

 iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ec2:CreateNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "ec2:DeleteNetworkInterface"
      Resource: "*"
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}"
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
      Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_DATA}/index/*"

Please read this document for further understanding:

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/api-permissions-reference.html