AWS Lambda-(AccessDeniedException)调用扫描操作时，用户无权执行：DynamoDB：Scan [英] AWS Lambda - (AccessDeniedException) when calling the Scan operation User is not authorized to perform: dynamodb: Scan

问题描述

我尝试在AWS中通过boto3(Python)访问DynamoDB。在我的本地机器上运行这个。根据我在AWS运行中的了解，它只使用IAM角色来获取访问权限。但它不起作用。

  Lambda execution failed with status 200 due to customer function error: An error occurred (AccessDeniedException) when calling the Scan operation: 

  User: arn:aws:sts::021517822274:assumed-role/CodeStar-tt-api-subjects-Execution/

  awscodestar-tt-api-subjects-lambda-HelloWorld is not authorized to perform: dynamodb:

  Scan on resource: arn:aws:dynamodb:us-east-1:021517822274:table/tt-subjects. 

此处发送了完全相同的问题：

How to solve (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."?

并且我应用了建议的AmazonDynamoDBFullAccess策略。还尝试了以下内容：

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_specific-table.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html

我自己添加的策略(另外)是：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAndDescribe",
            "Effect": "Allow",
            "Action": [
                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SpecificTable",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": "arn:aws:dynamodb:*:*:table/tt-subjects"
        }
    ]
}

但我仍然收到相同的错误。

应用策略是否需要很长时间，或者仍可能导致这种情况的原因是什么？

推荐答案

现在我找到答案了。当我使用codestar创建我的lambda时，它还创建了一个permission boundary。

如何解决此问题：

• 删除边界(不推荐)
• 扩展边界，如下所示：

编辑lambda的边界：

1. 打开Lambda控制台
2. 转到选项卡配置
3. 在执行角色中，打开指向您的角色的链接
4. 现在您在IAM角色编辑器中。向下滚动到权限边界
5. 复制该名称(没有链接)
6. 在IAM菜单中选择"Policies"
7. 搜索复制的名称
8. 编辑(扩展)策略。

在我的示例中，关于DynamoDB，我向下滚动到sid 6(对于您来说可能有所不同)。它是允许挡路，具有许多简单条目和a*as资源。

所以我使用DynamoDB条目扩展了此挡路。现在看起来是这样的：

...
{
            "Sid": "6",
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "cloudtrail:CreateTrail",
                "cloudtrail:StartLogging",
                "ec2:Describe*",
                "lambda:ListFunctions",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:PutLogEvents",
                "sns:Get*",
                "sns:List*",
                "sns:Publish",
                "sns:Subscribe",
                "xray:Put*",

                "dynamodb:BatchGet*",
                "dynamodb:DescribeStream",
                "dynamodb:DescribeTable",
                "dynamodb:Get*",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:BatchWrite*",
                "dynamodb:CreateTable",
                "dynamodb:Delete*",
                "dynamodb:Update*",
                "dynamodb:PutItem",

                "dynamodb:List*",
                "dynamodb:DescribeReservedCapacity*",
                "dynamodb:DescribeLimits",
                "dynamodb:DescribeTimeToLive"
            ],
            "Resource": [
                "*"
            ]
        },
...

非常感谢投稿人对我的帮助！

这篇关于AWS Lambda-(AccessDeniedException)调用扫描操作时，用户无权执行：DynamoDB：Scan的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！