如何解决Lambda 写入 DynamoDB IAM 角色不起作用
我有一个简单的 Node lambda,尝试使用无服务器框架将一些数据写入 DynamoDB 表。
这是我的 serverless.yml:
frameworkVersion: '2'
custom:
tableName: 'users-table-${self:provider.stage}'
defaultRegion: eu-west-2
gitBranch: ${git:branch}
plugins:
- serverless-plugin-git-variables
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
stage: ${self:custom.gitBranch}
region: ${opt:region,self:custom.defaultRegion}
apiGateway:
shouldStartNameWithService: true
environment:
USERS_TABLE: ${self:custom.tableName}
iam:
role:
statements:
- Effect: Allow
Action:
- dynamodb:Scan
- dynamodb:Query
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:GetItem
Resource:
- "arn:aws:dynamodb:${opt:region,self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}"
- "arn:aws:dynamodb:${opt:region,self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}/index/sk-pk-index"
functions:
signup-api:
handler: handler.handler
events:
- http: ANY /
- http: 'ANY /{proxy+}'
resources:
Resources:
surveysTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:provider.environment.USERS_TABLE}
AttributeDeFinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
GlobalSecondaryIndexes:
- IndexName: sk-pk-index
KeySchema:
- AttributeName: sk
KeyType: HASH
- AttributeName: pk
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
以下是 lambda 尝试写入 dynamo 的方式:
module.exports.create = async function(body) {
const user_id = uuidv4
const profile_data = body['profile']
const putParams = {
TableName: tableName,Item: {
'pk': 'USER#' + user_id,'sk': 'PROFILE#' + user_id,'profile_data': profile_data
}
}
try {
await dynamodb.put(putParams).promise()
return putParams.Item
} catch (error) {
console.log(error)
throw new Error(error)
}
}
在 lambda IAM 中,它确实看起来拥有所有权限:
{
"errorType": "Runtime.UnhandledPromiseRejection","errorMessage": "Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development","reason": {
"errorType": "Error","errorMessage": "AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development","stack": [
"Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development"," at Object.module.exports.create (/var/task/entities/users.js:27:15)"," at processticksAndRejections (internal/process/task_queues.js:97:5)"
]
},"promise": {},"stack": [
"Runtime.UnhandledPromiseRejection: Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development"," at process.<anonymous> (/var/runtime/index.js:35:15)"," at process.emit (events.js:314:20)"," at process.EventEmitter.emit (domain.js:483:12)"," at processpromiseRejections (internal/process/promises.js:209:33)"," at processticksAndRejections (internal/process/task_queues.js:98:32)"
]
}
解决方法
该政策适用于 eu-west-2,但您尝试访问的资源在 us-east-1 中。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
