[SOLVED] AWS IAM - Access Denied from Lambda to DynamoDB

AWS IAM - Access Denied from Lambda to DynamoDB

I am following this tutorial from Medium.com to create a URL shortener using AWS.

I have setup the whole thing, but doing my first test I am getting a permissions error when trying to get a DynamoDB item from a Lambda.

As stated in the tutorial, the Lambda runs under a certain rol. That rol has attached the next policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:DeleteItem",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:UpdateItem"
            ],
            "Resource": "arn:aws:dynamodb:eu-west-3:922842442607:table/lambda-dynamodb-url-shortener"
        }
    ]
}

However, as I said before, I am getting this error:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the GetItem operation: User: arn:aws:sts::***:assumed-role/lambda-dynamodb-url-shortener-role/url-shortener-create is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-3:***:table/url-shortener-table

When I check in the IAM Policy Simulator, I can see that the rol has the mentioned policy:

But, as expected given the error, I am getting this error when trying to simulate the access to DynamoDB with the role:

Any clue? :(

Solution

Your policy does not match the actual resource. You reference table/lambda-dynamodb-url-shortener in the policy but the error messages mentions table/url-shortener-table. Therefore you either need to change the policy to allow access to table/url-shortener-table or fix the lambda code to actually talk to a dynamodb table named lambda-dynamodb-url-shortener. (Probably the first one fixes the issue)