尝试使用dynamodb扫描时出现以下错误:
“ errorMessage”:“发生错误(AccessDeniedException),当 调用扫描操作:用户: arn:aws:sts :: 747857903140:假定角色/ CodeStarWorker-helpbot-Lambda / awscodestar-helpbot-lambda-FindService-1L7IH17742JLR 无权执行:dynamodb:扫描资源: arn:aws:dynamodb:us-east-1:747857903140:table / HelpBot“
这在我的SAM模板中:
FindService:
Type: AWS::Serverless::Function
Properties:
Handler: find_service.handler
Runtime: python3.6
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Policies:
- AmazonDynamoDBFullAccess
该如何解决?
答案 0 :(得分:1)
根据this SAM CloudFormation doc:
策略-此功能所需的AWS托管IAM策略或IAM策略文档或SAM策略模板的名称,应将其附加到此功能的默认角色之后。 如果设置了Role属性,则此属性没有任何意义。
您需要为包含两个权限组的功能定义角色,并将其用作“角色”,或者将LambdaTrustRole的权限添加到“策略”。
后者看起来像这样:
Policies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:Scan
Resource: arn:aws:dynamodb:region:account-id:table/table-name
- Effect: Allow
Action:
- ...
Resource: ...
答案 1 :(得分:0)
您需要像这样为您的调用者添加新的权限(例如lambda函数或...)(例如,我有两个表):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:eu-west-1:77777:table/order"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:eu-west-1:777:table/ExecutionId"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:eu-west-1:777777:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:eu-west-1:777777:log-group:/aws/lambda/MyReport:*"
]
}
]
}