DynamoDB 和无服务器:无权执行:dynamodb:Query 资源
DynamoDB and Serverless: not authorized to perform: dynamodb:Query on resource
我收到这个错误:
"message": "User: arn:aws:sts::XXXXX:assumed-role/lambda-my-account-dev-us-east-2-lambdaRole/lambda-my-account-dev-my-account is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-2:XXXX:table/dev-app-transactions/index/transactionsByUserId",
我对授予 table 的权限感到困惑。在 serverless.yml 我有:
service: lambda-my-account
provider:
name: aws
runtime: nodejs12.x
region: ${opt:region, 'us-east-2'}
stage: ${opt:stage, 'dev'}
tags:
datadog: ${self:provider.stage}
environment:
// some enviroments
iamRoleStatements:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "arn:aws:logs:*:*:*"
- Effect: Allow
Action:
- dynamodb:Query
Resource:
- "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}"
// rest of file
为什么我会收到该错误消息?
resources中有没有我没有配置的?我认为问题出在我的 table 索引上。我是在 AWS 控制台上手工制作的,但我不确定是否也需要在 serverless.yml 文件中进行配置。
您还需要为您的角色授予对索引本身的 dynamodb:Query 权限。您可以添加资源语句,例如:
"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}/index/transactionsByUserId" 到 iamRoleStatements 部分。
我收到这个错误:
"message": "User: arn:aws:sts::XXXXX:assumed-role/lambda-my-account-dev-us-east-2-lambdaRole/lambda-my-account-dev-my-account is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-2:XXXX:table/dev-app-transactions/index/transactionsByUserId",
我对授予 table 的权限感到困惑。在 serverless.yml 我有:
service: lambda-my-account
provider:
name: aws
runtime: nodejs12.x
region: ${opt:region, 'us-east-2'}
stage: ${opt:stage, 'dev'}
tags:
datadog: ${self:provider.stage}
environment:
// some enviroments
iamRoleStatements:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "arn:aws:logs:*:*:*"
- Effect: Allow
Action:
- dynamodb:Query
Resource:
- "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}"
// rest of file
为什么我会收到该错误消息?
resources中有没有我没有配置的?我认为问题出在我的 table 索引上。我是在 AWS 控制台上手工制作的,但我不确定是否也需要在 serverless.yml 文件中进行配置。
您还需要为您的角色授予对索引本身的 dynamodb:Query 权限。您可以添加资源语句,例如:
"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}/index/transactionsByUserId" 到 iamRoleStatements 部分。