0

I've created my api in vercel, which uses aws lambda. In my function, I've used a call to dynamodb in my aws account.

But I keep getting AccessDeniedException.
But, When I run it locally, there is no issue.

AccessDeniedException: User: arn:aws:sts::764717618004:assumed-role/cloudwatch_logs_events_putter/L0ZFqQmkoVXQ44u8QwB1yH0f-805fd9d54732e5470e54bf12bd9a25672e379b5 
is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:ap-south-1:764717618004:table/users

this adresses the issue when both lambda and dynamo are of the same user account.

NoSQLKnowHow
  • 4,449
  • 23
  • 35
srx
  • 335
  • 1
  • 4
  • 17
  • 1
    Have you given the `cloudwatch_logs_events_putter` role permissions for `dynamodb:GetItem`? – hephalump Nov 14 '20 at 13:59
  • I can't find any role with that name. I'm new to this. Should I be creating a role in that name? I've already given `AmazonDynamoDBFullAccess` to the IAM user. – srx Nov 14 '20 at 14:12
  • You’ll have to update the policy for the `Role`, not the `User`. – hephalump Nov 14 '20 at 17:00
  • There was no such role to begin with, so I created one and gave permissions, but it's still not working. – srx Nov 14 '20 at 17:19
  • 2
    The role existed because your Lambda had assumed it and STS had issued credentials which are not authorized. If you don’t see the role, is it possible it’s in a different account, or that you don’t have permissions to see it? – hephalump Nov 14 '20 at 17:32
  • The lambda is in another account (vercel.com) and I don't have permission to do anything. How would I let that lambda use my dynamodb? Creating role hasn't helped much. Or maybe I'm missing something. – srx Nov 14 '20 at 17:39
  • 1
    Sorry, am not familiar with vercel.com; maybe reach out to them for support with cross account permissions. – hephalump Nov 14 '20 at 17:45
  • They don't have any option to change anything. I've looked through the whole documentation and couldn't find anything. I've also started a discussion in github/vercel, but did not get any reply till now. – srx Nov 14 '20 at 17:50

1 Answers1

1

Well guess what, after hours of combing through aws documentation I got to the root of the issue. The user: arn:aws:sts::764717618004:assumed-role/ and arn:aws:dynamodb:ap-south-1:764717618004:table/users are the same, which was odd once I thought about it.

Because the aws Id of dynamodb should've been mine, but it's evidently not. So I tried logging the accessKeyId, and to my surprise it was not what I set in the Environment.
Then I just checked out what's in vercel env ls. There was nothing wrong at first sight, but then I noticed a little typo in the DYNAMODB_ACCESS_KYE_ID.

YES IT WAS JUST A TYPO. successfully wasted 6+ hours on a typo in environment variable.

srx
  • 335
  • 1
  • 4
  • 17