执行Lambda函数时收到错误:
“ AccessDeniedException:用户: arn:aws:sts :: 342213474092:假定角色/ testServerlessStack-ExecRole-YZCIWMHK86D8 / testServerlessStack-GetFailureKeysByOrder-OR3YS1NLQY0M 无权执行:dynamodb:扫描资源: arn:aws:dynamodb:us-east-2:342213474092:table / Bar“
该函数的执行角色具有以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:dynamodb:us-east-2:342213474092:table/Foo/*",
"arn:aws:dynamodb:us-east-2:342213474092:table/Bar/*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Lambda查询Foo,然后扫描Bar。
答案 0 :(得分:1)
根据文档,资源的格式应为:
要查询表: arn:aws:dynamodb:region:account-id:table / table-name
或: arn:aws:dynamodb:region:account-id:table / *
扫描同样如此:
要扫描表格: arn:aws:dynamodb:region:account-id:table / table-name
或: arn:aws:dynamodb:region:account-id:table / *
您是否尝试过将资源更改为:
"Resource": [
"arn:aws:dynamodb:us-east-2:342213474092:table/Foo",
"arn:aws:dynamodb:us-east-2:342213474092:table/Bar"
],
此处的文档:DynamoDB API permissions
根据您的最新评论,这应该对您有用:
arn:aws:dynamodb:region:account-id:table/*/index/*