0

When I try to query AWS Keyspaces (managed Cassandra) from an AWS Lambda, I get this error:

{
  "errorType": "AggregateException",
  "errorMessage": "One or more errors occurred. (All hosts tried for query failed (tried 11.11.111.11:9142: UnauthorizedException 'User arn:aws:iam::111111111111:user/user-for-keyspaces has no permissions.'; 11.11.111.11:9142: UnauthorizedException 'User arn:aws:iam::111111111111:user/user-for-keyspaces has no permissions.'))",
  "stackTrace": [
    "at lambda_method(Closure , Stream , Stream , LambdaContextInternal )"
  ],
  "cause": {
    "errorType": "NoHostAvailableException",
...

But in the AWS console for Keyspaces, I don't see anywhere to adder permissions.

The user policy for user-for-keyspaces already has this attached:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cassandra:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

How do I add permissions in AWS Keyspaces?

Autumn88
  • 351
  • 1
  • 11
sdgfsdh
  • 33,689
  • 26
  • 132
  • 245
  • Isn't [this](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html#programmatic.credentials.ssc) what you are looking for? – Marcin Feb 04 '21 at 11:25
  • @Marcin yes, I generated the credentials in the IAM security tab. However, I have figured this out now. – sdgfsdh Feb 04 '21 at 11:31

2 Answers2

2

You should only require cassandra

{
        "Statement": [
          {
            "Sid": "keyspaces-full-access",
            "Principal": "*",
            "Action": [
              "cassandra:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
      }

Additionally, Amazon Keyspaces populates the system.peers table in your account with an entry for each availability zone where a VPC endpoint is available. To look up and store available interface VPC endpoints in the system.peers table, Amazon Keyspaces requires that you grant the IAM entity used to connect to Amazon Keyspaces access permissions to query your VPC for the endpoint and network interface information.

   {
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"ListVPCEndpoints",
         "Effect":"Allow",
         "Action":[
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeVpcEndpoints"
         ],
         "Resource":"*"
      }
   ]
}

Learn more about VPC endpoints here

MikeJPR
  • 764
  • 3
  • 14
0

The problem was actually nothing to do with the user in the error message, but the VPC endpoint I had created for Keyspaces.

The endpoint requires cassandra:* permissions to perform queries, e.g.

      {
        "Statement": [
          {
            "Sid": "keyspaces-full-access",
            "Principal": "*",
            "Action": [
              "cassandra:*",
              "keyspaces:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
      }
sdgfsdh
  • 33,689
  • 26
  • 132
  • 245