DynamoDB GSI索引上的AccessDenied

时间:2018-07-26 11:31:43

标签: serverless-framework serverless

我写了serverless.yml来部署一些lambda,并且在特定的API中使用了GSI。

如果我使用serverless-offline在本地运行,则可以运行,但是在部署lambda时遇到错误:

AccessDeniedException: User: arn:aws:sts::408462944160:assumed-role/telecom-integration-dev-us-east-1-lambdaRole/integration-dev-dialerStatistics 
is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:408462944160:table/integration-dialer-dev/index/other_dial_status-index

这是我创建serverless.yml的方式

 iamRoleStatements:
   - Effect: Allow
     Action:
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem 
    Resource:        
    - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }


dialerStatistics:
  handler: integration/dialer.statistics
  description: Import data on dialer.
  memorySize: 256
  timeout: 30
  events:
    - http:
        path: dialer-statistics
        method: get
        cors: false
        private: false  


DialerDynamoDbTable:
  Type: 'AWS::DynamoDB::Table'
  DeletionPolicy: ${self:provider.environment.DELETION_POLICY}
  # DeletionPolicy: Delete # Useful for recreating environment in dev
  Properties:
    AttributeDefinitions:
      -
        AttributeName: "id"
        AttributeType: "S"
      -
        AttributeName: "dial_status"
        AttributeType: "S"
    KeySchema:
      -
        AttributeName: "id"
        KeyType: "HASH"
    ProvisionedThroughput:
      ReadCapacityUnits: 1
      WriteCapacityUnits: 1
    TableName: ${self:provider.environment.DIALER_TABLE}  
    GlobalSecondaryIndexes:
    - IndexName: "other_dial_status-index"
      KeySchema:
      - AttributeName: "dial_status"
        KeyType: HASH
      Projection:
        ProjectionType: "ALL"
      ProvisionedThroughput:
        ReadCapacityUnits: '20'
        WriteCapacityUnits: '20'

可能缺少对iAmRoleStatements的某些许可,但我不确定该怎么办。

3 个答案:

答案 0 :(得分:5)

您的IAM角色不涵盖索引。尝试将它们添加到角色的资源中:

iamRoleStatements:
   - Effect: Allow
     Action:
       - dynamodb:Query
       - dynamodb:Scan
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:UpdateItem
       - dynamodb:DeleteItem 
     Resource:        
       - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
       - Fn::Join:
         - "/"
         -
           - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
           - "index/*"

作为参考,Fn :: Join会将/index/*附加到DialerDynamoDbTable的ARN中。

它在本地工作是因为Serverless使用了您为其配置的“ admin” IAM用户。

答案 1 :(得分:0)

对于那些寻找云形成的人

  PolicyDocument:
    Version: 2012-10-17
    Statement:
    - Effect: Allow
      Action:
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:DeleteItem
        - dynamodb:UpdateItem
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:BatchGetItem
        - dynamodb:BatchWriteItem
      Resource: [!GetAtt DialerDynamoDbTable.Arn, !Join [ '/',[!GetAtt DialerDynamoDbTable.Arn,index/*]]]

答案 2 :(得分:0)

    Resource: 
      - arn:aws:dynamodb:*:*:table/${self:custom.myTable}
      - arn:aws:dynamodb:*:*:table/${self:custom.myTable}/index/*
相关问题
最新问题