3

I'm trying to follow this tutorial, but when I try to test the API I've created, I get the following message:

API Gateway does not have permission to assume the provided role

The API request should be posting to a DynamoDB table I've created.

I've created an IAM Role and attached the policy AmazonDynamoDBFullAccess. I've also tried attaching this policy to my administrator user.

Here is the integration request in my API:

enter image description here

Any help is much appreciated.

Spencer Goff
  • 1,036
  • 3
  • 14
  • 23

2 Answers2

5

Below worked for me

Go to IAM > Roles > whateverRole > Trust Relationships > Edit Trust Relationship and add apigateway under Statements

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Assisted by this guy https://histerr.blogspot.com/2016/06/api-gateway-does-not-have-permission-to.html?showComment=1549214559316#c3046645274286738526

NoloMokgosi
  • 1,678
  • 16
  • 10
2

The ARN you have provided for the IAM Role is a policy. It needs to be a role. Please go to your generated role and update your ARN to that. It should look something like this *:role/AmazonDynamoDBFullAccess-201709151726

asdf
  • 2,927
  • 2
  • 21
  • 42
  • That is precisely what the trust relationship looks like for the role that has the AmazonDynamoDBFullAccess-201709151726 policy attached to it. – Spencer Goff Sep 18 '17 at 17:27
  • @SpencerGoff Actually, it looks like you have the ARN for the policy specified in the role field. Please attach the policy to a role then put the role ARN there. – asdf Sep 18 '17 at 17:29
  • That worked! Thanks so much @asdf. Want to post a new answer so I can mark it correct? – Spencer Goff Sep 18 '17 at 17:33