My lambda function needs to be able to both read and write to DynamoDB and to receive and send messages from SQS.
When sqs is defined under events it is not granted permission to send messages, only receive
functions:
getOffers:
handler: getoffers.main
events:
- sqs: arn:aws:sqs:eu-west-1:XXXXXXXXXXX:${self:custom.stage}-queue
I thought of doing it like the below but, this seems very clumsy and I don’t think it would work
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- sqs:SendMessage
# Restrict our IAM role permissions to
# the specific table for the stage
Resource:
- arn:aws:dynamodb:eu-west-1:XXXXXXXXXXX:table/${self:custom.stage}-test
- arn:aws:sqs:eu-west-1:XXXXXXXXXXX:${self:custom.stage}-queue
I build my template for SAM, I put dynamodb:update and dynamodb:query , but If you need more actions I think that goes like this:
ReadUpdateFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: ReadUpdateFunction
CodeUri: tools/dynamo_massively_update/queueQuery
Handler: app.lambda_handler
Runtime: python3.7
Role: !GetAtt [ ReadUpdateFunctionRole , Arn ]
Environment:
Variables:
DynamoQueue: !Ref DynamoQueue
UpdateQueue: !Ref UpdateQueue
ReadMassivelyUpdateFunctionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
Policies:
- PolicyName: ReadMassivelyUpdateFunctionPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:*:*:*
- Effect: Allow
Action:
- dynamodb:*
- sqs:ReceiveMessage
- sqs:GetQueueAttributes
- sqs:ChangeMessageVisibility
- sqs:DeleteMessage
- sqs:SendMessage
Resource: "*"