AppSync BatchResolver AssumeRole 错误 [英] AppSync BatchResolver AssumeRole Error
问题描述
我正在尝试使用新的 DynamoDB BatchResolvers 写入 AppSync 解析器中的两个 DynamoDB 表(目前使用 Lambda 函数来执行此操作).但是,我在查看 CloudWatch 日志时收到以下权限错误:
I’m trying to use the new DynamoDB BatchResolvers to write to two DynamoDB table in an AppSync resolver (currently using a Lambda function to do this). However, I’m getting the following permission error when looking at the CloudWatch logs:
用户:arn:aws:sts::111111111111:assumed-role/appsync-datasource-ddb-xxxxxx-TABLE-ONE/APPSYNC_ASSUME_ROLE 无权执行:dynamodb:BatchWriteItem on resource:arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO(服务:AmazonDynamoDBv2;状态代码:400;错误代码:AccessDeniedException;
我在解析器中使用 TABLE-ONE 作为我的数据源.
I’m using TABLE-ONE as my data source in my resolver.
我将 "dynamodb:BatchWriteItem" 和 "dynamodb:BatchGetItem" 添加到 TABLE-ONE 的权限:
I added the "dynamodb:BatchWriteItem" and "dynamodb:BatchGetItem" to TABLE-ONE’s permission:
<代码>{版本":2012-10-17",陈述": [{"Sid": "可视化编辑器0",效果":允许",行动": ["dynamodb:BatchGetItem","dynamodb:BatchWriteItem","dynamodb:PutItem","dynamodb:DeleteItem","dynamodb:GetItem",dynamodb:扫描",dynamodb:查询",dynamodb:更新项目"],资源":[arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-ONE",arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-ONE/*",arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO",arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO/*"]}]}
我有另一个使用 BatchGetItem 操作并在我的响应中获取空值的解析器 - 更改表的策略访问级别修复了空值:
I have another resolver that uses the BatchGetItem operation and was getting null values in my response - changing the table’s policy access level fixed the null values:
但是,选中 BatchWriteItem 的复选框似乎并不能解决向数据源表策略添加权限的问题.
However, checking the box for BatchWriteItem doesn’t seem to solve the issue either adding the permissions to the data source table’s policy.
我还在 AppSync 中测试了我的解析器测试功能,评估的请求和响应按预期工作.
I also tested my resolver test feature in AppSync, the evaluated request and response are working as intended.
我还能在哪里设置两个表之间的 BatchWriteItem 操作的权限?似乎它正在调用用户的 assumed-role 而不是表的角色 - 我可以强制"它使用表的角色吗?
Where else could I set the permissions for a BatchWriteItem operation between two tables? It seems like it's invoking the user's assumed-role instead of the table's role - can I 'force' it to use the table's role?
推荐答案
它正在使用您在 AppSync 控制台中为表配置的角色.请注意,该特定角色应将 appsync 作为受信任的实体.
It is using the role that you have configured for the table in the AppSync console. Note that that particular role, should have appsync as a trusted entity.
或者,如果您在控制台中创建数据源时使用了新角色复选框,它应该会处理它.
Or if you use the new role tick box when creating the data source in the console, it should take care of it.
这篇关于AppSync BatchResolver AssumeRole 错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
