DynamoDB and Serverless: not authorized to perform: dynamodb:Query on resource

Question

I'm getting this error:

"message": "User: arn:aws:sts::XXXXX:assumed-role/lambda-my-account-dev-us-east-2-lambdaRole/lambda-my-account-dev-my-account is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-2:XXXX:table/dev-app-transactions/index/transactionsByUserId",

I'm confused about giving permissions on table. In serverless.yml I have:

service: lambda-my-account
provider:
  name: aws
  runtime: nodejs12.x
  region: ${opt:region, 'us-east-2'}
  stage: ${opt:stage, 'dev'}
  tags:
    datadog: ${self:provider.stage}
  environment:
    // some enviroments
  iamRoleStatements:
    - Effect: Allow
      Action:
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:PutLogEvents
      Resource: "arn:aws:logs:*:*:*"
    - Effect: Allow
      Action:
        - dynamodb:Query
      Resource:
        - "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}"

// rest of file

Why I'm getting that error?

Is there any in resources that I haven't config? I think that the problem is with my Index of that table. I made it by hand on the AWS console, but I'm not sure if I need to config here in the serverless.yml file too.

score 0 · Accepted Answer · answered Sep 08 '20 at 12:44

0

You also need to give your role dynamodb:Query permissions on the index itself. You can add a resource statement like:

"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}/index/transactionsByUserId" to the iamRoleStatements section.

answered Sep 08 '20 at 12:44

Brian Winant

2,915
15
17

Yes, that's what I had to do, thanks, as I didn't put what I did your answer is the correct one – pmiranda Sep 08 '20 at 13:22

DynamoDB and Serverless: not authorized to perform: dynamodb:Query on resource

1 Answers1