Cannot access stream lambda serverless v.13

Hi,

I am seeing the following error on doing serverless deploy

An error occurred while provisioning your stack: StreamFunctionEventSourceMappingDynamodbMyTable1
- Cannot access stream arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145.
Please ensure the role can perform the GetRecords, GetShardIterator,
DescribeStream, and ListStreams Actions on your stream
in IAM.

Here is my serverless.yaml. Please help

service: testservice



provider:
  name: aws
  runtime: nodejs4.3
  cfLogs: true
  stage: dev
  region: us-east-1



functions:
  Test1:
    handler: a.index
    name: test1
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test1
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6
  Test2:
    handler: b.index
    name: test2
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test2
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6
  Test3:
    handler: c.index
    name: test3
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test3
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6



resources:
  Resources:
    StreamFunctionEventSourceMappingDynamodbMyTable1:
      Type: AWS::Lambda::EventSourceMapping
      DependsOn: IamPolicyLambdaExecution
      Properties:
        BatchSize: 100
        EventSourceArn: arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145
        FunctionName: test1
        StartingPosition: LATEST
        Enabled: True
    StreamFunctionEventSourceMappingDynamodbMyTable2:
      Type: AWS::Lambda::EventSourceMapping
      DependsOn: IamPolicyLambdaExecution
      Properties:
        BatchSize: 100
        EventSourceArn: arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145
        FunctionName: test2
        StartingPosition: LATEST
        Enabled: True

@mohitg Try adding the following

provider:
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams

I’ll write a full post on getting DyanmoDB streams working when I get a chance.

Thanks Buggy.
I added the following and was able to deploy the lambda’s. However, if the stream is different for each function, then how can multiple resource value be provided in the iamRoleStatements ?

iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
      Resource: arn:aws:dynamodb:us-east-1:XX:table/XX/stream/2016-11-07T17:00:04.145

iamRoleStatements is an array of statements. Just add each stream.

iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
      Resource: arn:aws:dynamodb:us-east-1:XX:table/XX/stream/2016-11-07T17:00:04.145
    - Effect: Allow
      Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
      Resource: arn:aws:dynamodb:us-east-1:XX:table/YY/stream/2016-11-07T17:00:04.145
    - Effect: Allow
      Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
      Resource: arn:aws:dynamodb:us-east-1:XX:table/ZZ/stream/2016-11-07T17:00:04.145

Thank You buggy. I see that the role provided at the function level is overriden after putting iamRoleStatements.
Please let me know how can I still have the role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
(mentioned at function level) attached as well.
The role generated by serverless, attached to all lambda’s is as below

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "logs:CreateLogGroup",
            "logs:CreateLogStream"
         ],
         "Resource":[
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test1:*",
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test2:*",
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test3:*"
         ],
         "Effect":"Allow"
      },
      {
         "Action":[
            "logs:PutLogEvents"
         ],
         "Resource":[
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test1:*:*",
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test2:*:*",
            "arn:aws:logs:us-east-1:XX:log-group:/aws/lambda/test3:*:*"
         ],
         "Effect":"Allow"
      },
      {
         "Action":[
            "dynamodb:DescribeStream",
            "dynamodb:GetRecords",
            "dynamodb:GetShardIterator",
            "dynamodb:ListStreams"
         ],
         "Resource":"arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145",
         "Effect":"Allow"
      }
   ]
}

The same principle applies. You just need to add the IAM role statements to your custom roles.

Assuming you’re doing this as resources in your serverless.yml you can look at AssumeRolePolicyDocument in http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html for an example.

Thanks for your reply. However, I wanted to use role ARN at function level instead of custom roles.
Also, If I define custom roles, I will not be able to share the custom role across multiple services.

Those role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo that you’re adding to the function are what I’m referring to. You need to add the role statements to those. If you’re creating and managing them outside of Serverless then you need to add the statements outside of Serverless too.

Hi buggy,

I have updated the role created externally with IAM role statements and updated the serverless framework to v1.3. Now, I see new error on deploying:

Template format error: Unresolved resource dependencies
     [IamPolicyLambdaExecution] in the Resources block of
     the template

Here is my updated serverless.yaml

service: testservice



provider:
  name: aws
  runtime: nodejs4.3
  cfLogs: true
  stage: dev
  region: us-east-1



functions:
  Test1:
    handler: a.index
    name: test1
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test1
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6
  Test2:
    handler: b.index
    name: test2
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test2
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6
  Test3:
    handler: c.index
    name: test3
    role: arn:aws:iam:us-east-1:XX:role/lambda_dynamo
    description: test3
    memorySize: 512 # optional, default is 1024
    timeout: 60 # optional, default is 6



resources:
  Resources:
    StreamFunctionEventSourceMappingDynamodbMyTable1:
      Type: AWS::Lambda::EventSourceMapping
      DependsOn: IamPolicyLambdaExecution
      Properties:
        BatchSize: 100
        EventSourceArn: arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145
        FunctionName: test1
        StartingPosition: LATEST
        Enabled: True
    StreamFunctionEventSourceMappingDynamodbMyTable2:
      Type: AWS::Lambda::EventSourceMapping
      DependsOn: IamPolicyLambdaExecution
      Properties:
        BatchSize: 100
        EventSourceArn: arn:aws:dynamodb:us-east-1:XX:table/tabletest/stream/2016-11-07T17:00:04.145
        FunctionName: test2
        StartingPosition: LATEST
        Enabled: True

I’ll probably start upgrading to 1.3 later this week. Once I do I’ll have a look at this again.

FWIW Resource takes either a single value or an array of values - you don’t need to repeat the whole policy statement for each ARN.

Hi rowanu,

I am repeating the StreamFunctionEventSourceMapping in the Resources as I required mapping for 2 different functions.

Let me know if you thoughts.

Hi buggy,

Please let me know if you are seeing similar issue after upgrade.

Hi buggy,

Let me know if you are able to see the issue.