Lambda 写入 DynamoDB IAM 角色不起作用

Lambda writing to DynamoDB IAM role not working

我有一个简单的 Node lambda 尝试使用无服务器框架将一些数据写入 DynamoDB table。

这是我的 serverless.yml:

frameworkVersion: '2'

custom:
  tableName: 'users-table-${self:provider.stage}'
  defaultRegion: eu-west-2
  gitBranch: ${git:branch}

plugins:
  - serverless-plugin-git-variables

provider:
  name: aws
  runtime: nodejs12.x
  lambdaHashingVersion: '20201221'
  stage: ${self:custom.gitBranch}
  region: ${opt:region, self:custom.defaultRegion}
  apiGateway:
    shouldStartNameWithService: true
  environment:
    USERS_TABLE: ${self:custom.tableName}
  iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - dynamodb:Scan
            - dynamodb:Query
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:GetItem
          Resource: 
            - "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}"
            - "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}/index/sk-pk-index"
  

functions:
  signup-api:
    handler: handler.handler
    events:
      - http: ANY /
      - http: 'ANY /{proxy+}'


resources:
  Resources:
    surveysTable: 
      Type: AWS::DynamoDB::Table
      Properties:
        TableName: ${self:provider.environment.USERS_TABLE}
        AttributeDefinitions:
          - AttributeName: pk
            AttributeType: S
          - AttributeName: sk
            AttributeType: S
        KeySchema:
          - AttributeName: pk
            KeyType: HASH
          - AttributeName: sk
            KeyType: RANGE
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        GlobalSecondaryIndexes:
        - IndexName: sk-pk-index
          KeySchema:
          - AttributeName: sk
            KeyType: HASH
          - AttributeName: pk
            KeyType: RANGE
          Projection:
            ProjectionType: ALL
          ProvisionedThroughput: 
            ReadCapacityUnits: 1
            WriteCapacityUnits: 1

以下是 lambda 尝试写入 dynamo 的方式:

module.exports.create = async function(body) {
    const user_id = uuidv4
    const profile_data = body['profile']
    const putParams = {
        TableName: tableName,
        Item: {
            'pk': 'USER#' + user_id,
            'sk': 'PROFILE#' + user_id,
            'profile_data': profile_data
        }
    }
    try {
        await dynamodb.put(putParams).promise()
        return putParams.Item
    } catch (error) {
        console.log(error)
        throw new Error(error)
    }
}

在 lambda IAM 中,它看起来确实拥有所有权限:

但是当 运行 函数时出现此错误:

{
    "errorType": "Runtime.UnhandledPromiseRejection",
    "errorMessage": "Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
    "reason": {
        "errorType": "Error",
        "errorMessage": "AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
        "stack": [
            "Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
            "    at Object.module.exports.create (/var/task/entities/users.js:27:15)",
            "    at processTicksAndRejections (internal/process/task_queues.js:97:5)"
        ]
    },
    "promise": {},
    "stack": [
        "Runtime.UnhandledPromiseRejection: Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
        "    at process.<anonymous> (/var/runtime/index.js:35:15)",
        "    at process.emit (events.js:314:20)",
        "    at process.EventEmitter.emit (domain.js:483:12)",
        "    at processPromiseRejections (internal/process/promises.js:209:33)",
        "    at processTicksAndRejections (internal/process/task_queues.js:98:32)"
    ]
}

策略适用于 eu-west-2,但您尝试访问的资源位于 us-east-1