DynamoDB w / Serverless,使用Fn :: GetRef引用全局二级索引

时间:2018-06-02 22:43:20

标签: amazon-dynamodb serverless-framework dynamodb-queries aws-serverless

我有一个API /服务我用DynamoDB表定义。我有几个索引(定义为全局二级索引)来支持几个查询。我有设计的表,GSI定义,以及看起来像正确的查询。但是,在进行查询时出现此异常:

{ AccessDeniedException: User: arn:aws:sts::OBSCURED:assumed-role/chatroom-application-dev-us-east-1-lambdaRole/chatroom-application-dev-getRoomMessages is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:OBSCURED:table/messages-table-dev/index/roomIndex
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: 'User: arn:aws:sts::OBSCURED:assumed-role/chatroom-application-dev-us-east-1-lambdaRole/chatroom-application-dev-getRoomMessages is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:OBSCURED:table/messages-table-dev/index/roomIndex',
code: 'AccessDeniedException',
time: 2018-06-02T22:05:46.110Z,
requestId: 'OBSCURED',
statusCode: 400,
retryable: false,
retryDelay: 30.704899664776054 }

在异常的顶部,它表示我的getRoomMessages方法is not authorized to perform: dynamodb:Query on resource:的ARN,并显示全局二级索引的ARN。

似乎很清楚,我需要定义策略以授予访问全局二级索引的权限。但它根本不清楚如何。我已经看到有关DynamoDB的其他StackOverflow问题抱怨碎片文档以及找到任何内容有多困难。我必须同意。这个词&#34;支离破碎&#34;太温和了。

我正在使用无服务器框架。 provider部分显示了此政策/角色定义:

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
      Resource:
        - { "Fn::GetAtt": ["MessagesDynamoDBTable", "Arn" ] }
        - { "Fn::GetAtt": ["#roomIndex", "Arn" ] }
        - { "Fn::GetAtt": ["#userIndex", "Arn" ] }
  environment:
    MESSAGES_TABLE: ${self:custom.tableName}

Resource部分,我相信我应该列出声明权限的资源。第一个引用表作为一个整体。我刚刚添加的最后两个,并引用索引。

编辑:当我运行serverless deploy时,会打印以下信息:

The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource #roomIndex

我尝试了几种变体只是为了得到同样的错误。这归结为 - 如何在serverless.yml中使用Cloudfront语法获取索引的ARN 。 ARN确实存在,因为它显示在例外中。

DynamoDB表定义:

resources:
  Resources:
    MessagesDynamoDBTable:
      Type: AWS::DynamoDB::Table
      Properties:
        AttributeDefinitions:
          - AttributeName: messageId
            AttributeType: S
          - AttributeName: room
            AttributeType: S
          - AttributeName: userId
            AttributeType: S
        KeySchema:
          - AttributeName: messageId
            KeyType: HASH
        GlobalSecondaryIndexes:
          - IndexName: roomIndex
            KeySchema:
              - AttributeName: room
                KeyType: HASH
            Projection:
              ProjectionType: ALL
            ProvisionedThroughput:
              ReadCapacityUnits: 1
              WriteCapacityUnits: 1
          - IndexName: userIndex
            KeySchema:
              - AttributeName: userId
                KeyType: HASH
            Projection:
              ProjectionType: ALL
            ProvisionedThroughput:
              ReadCapacityUnits: 1
              WriteCapacityUnits: 1
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        TableName: ${self:custom.tableName}

正在使用的查询对应于上述异常:

{
    "TableName": "messages-table-dev",
    "IndexName": "roomIndex",
    "KeyConditionExpression": "#roomIndex = :room",
    "ExpressionAttributeNames": {
        "#roomIndex": "room"
    },
    "ExpressionAttributeValues": {
        ":room": {
            "S": "everyone"
        }
    }
}

生成查询的Lambda函数代码片段:

app.get('/messages/room/:room', (req, res) => {
    const params = {
        TableName: MESSAGES_TABLE,
        IndexName: "roomIndex",
        KeyConditionExpression: '#roomIndex = :room',
        ExpressionAttributeNames: { '#roomIndex': 'room' },
        ExpressionAttributeValues: {
            ":room": { S: `${req.params.room}` }
        },
    };
    console.log(`QUERY ROOM ${JSON.stringify(params)}`);
    dynamoDb.query(params, (error, result) => {
        if (error) {
            console.log(error);
            res.status(400).json({ error: 'Could not get messages' });
        } else {
            res.json(result.Items);
        }
    });
});

3 个答案:

答案 0 :(得分:4)

我找到了比jake.lang发布的答案更好的答案。编辑:我没有看到他提出以下建议的第二条评论。

正如他所指出的,他的错误是因为ARN可能因正当理由而改变。但是,解决方案的出现是因为全球二级索引的ARN要附加&#34; / INDEXNAME&#34;到桌子的ARN。这意味着政策声明可以是:

iamRoleStatements:
  - Effect: Allow
    Action:
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem
    Resource:
      - { "Fn::GetAtt": ["MessagesDynamoDBTable", "Arn" ] }
      - { "Fn::Join": [ "/", [ 
          { "Fn::GetAtt": ["MessagesDynamoDBTable", "Arn" ] }, "index", "roomIndex" 
        ]]}
      - { "Fn::Join": [ "/", [
          { "Fn::GetAtt": ["MessagesDynamoDBTable", "Arn" ] }, "index", "userIndex" 
        ]]}

&#34; Fn :: Join&#34; bit来自CloudFormation,是一个&#34; join&#34;操作。它需要一个字符串数组,使用第一个参数连接它们。因此,计算本政策声明中所要求的ARN是一种相当复杂且过于复杂的方法。

有关文档,请参阅:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-join.html

答案 1 :(得分:1)

以下是我在无服务器中声明我的工作GSI权限的方法。我不确定但是问题是你需要独立地为每个资源声明操作吗?

iamRoleStatements: 
  - Effect: Allow
    Action:
      - dynamodb:Query
      - dynamodb:GetItem
      - dynamodb:PutItem
    Resource: "arn:REDACTED:table/TABLENAME”
  - Effect: Allow
    Action:
      - dynamodb:Query
    Resource: "arn:REDACTED:table/TABLENAME/index/INDEXNAME”

这个对arn的硬编码可能不是最好的事情,但到目前为止它对我的开发工作得很好。

答案 2 :(得分:1)

您可以使用Fn::Join代替!Sub "${MessagesDynamoDBTable.Arn}",它更简单。此外,如果要访问所有索引(通常是我的情况),那么/index/*就足够了。

示例:

...
      Policies:
        - Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Action:
                - dynamodb:Query
              Resource:
                - !Sub "${MessagesDynamoDBTable.Arn}"
                - !Sub "${MessagesDynamoDBTable.Arn}/index/*"
...