AccessDenied on DynamoDB GSI 索引 [英] AccessDenied on DynamoDB GSI Index

问题描述

我编写了一个 serverless.yml 来部署一些 lambda，并且我在特定的 API 中使用了 GSI.

I've wrote a serverless.yml to deploy some lambdas and I'm using GSI in a specific API.

如果我使用无服务器离线在本地运行，它可以工作，但在部署 lambda 时遇到错误:

If I run locally using serverless-offline, it's working but I'm facing an error when deploy the lambda:

AccessDeniedException: User: arn:aws:sts::408462944160:assumed-role/telecom-integration-dev-us-east-1-lambdaRole/integration-dev-dialerStatistics 
is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:408462944160:table/integration-dialer-dev/index/other_dial_status-index

这是我创建 serverless.yml 的方式

Here is how I've created serverless.yml

 iamRoleStatements:
   - Effect: Allow
     Action:
      - dynamodb:Query
      - dynamodb:Scan
      - dynamodb:GetItem
      - dynamodb:PutItem
      - dynamodb:UpdateItem
      - dynamodb:DeleteItem 
    Resource:        
    - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }


dialerStatistics:
  handler: integration/dialer.statistics
  description: Import data on dialer.
  memorySize: 256
  timeout: 30
  events:
    - http:
        path: dialer-statistics
        method: get
        cors: false
        private: false  


DialerDynamoDbTable:
  Type: 'AWS::DynamoDB::Table'
  DeletionPolicy: ${self:provider.environment.DELETION_POLICY}
  # DeletionPolicy: Delete # Useful for recreating environment in dev
  Properties:
    AttributeDefinitions:
      -
        AttributeName: "id"
        AttributeType: "S"
      -
        AttributeName: "dial_status"
        AttributeType: "S"
    KeySchema:
      -
        AttributeName: "id"
        KeyType: "HASH"
    ProvisionedThroughput:
      ReadCapacityUnits: 1
      WriteCapacityUnits: 1
    TableName: ${self:provider.environment.DIALER_TABLE}  
    GlobalSecondaryIndexes:
    - IndexName: "other_dial_status-index"
      KeySchema:
      - AttributeName: "dial_status"
        KeyType: HASH
      Projection:
        ProjectionType: "ALL"
      ProvisionedThroughput:
        ReadCapacityUnits: '20'
        WriteCapacityUnits: '20'

可能它缺少对 iAmRoleStatements 的一些许可，但我不确定我还应该做什么.

Probably it's missing some permission on iAmRoleStatements but I'm not sure what else should I do.

推荐答案

您的 IAM 角色不包括索引.尝试将它们添加到角色的资源中:

Your IAM role does not cover the indexes. Try to add them in the role's ressources:

iamRoleStatements:
   - Effect: Allow
     Action:
       - dynamodb:Query
       - dynamodb:Scan
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:UpdateItem
       - dynamodb:DeleteItem 
     Resource:        
       - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
       - Fn::Join:
         - "/"
         -
           - { "Fn::GetAtt": ["DialerDynamoDbTable", "Arn" ] }
           - "index/*"

作为参考，Fn::Join 会将 /index/* 附加到 DialerDynamoDbTable 的 ARN.

For reference, the Fn::Join will append /index/* to DialerDynamoDbTable's ARN.

它在本地工作，因为无服务器使用您配置它的管理员"IAM 用户.

It worked locally because Serverless uses the "admin" IAM user you configured it with.

这篇关于AccessDenied on DynamoDB GSI 索引的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！