Lambda 写入 DynamoDB IAM 角色不起作用
Lambda writing to DynamoDB IAM role not working
我有一个简单的 Node lambda 尝试使用无服务器框架将一些数据写入 DynamoDB table。
这是我的 serverless.yml:
frameworkVersion: '2'
custom:
tableName: 'users-table-${self:provider.stage}'
defaultRegion: eu-west-2
gitBranch: ${git:branch}
plugins:
- serverless-plugin-git-variables
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
stage: ${self:custom.gitBranch}
region: ${opt:region, self:custom.defaultRegion}
apiGateway:
shouldStartNameWithService: true
environment:
USERS_TABLE: ${self:custom.tableName}
iam:
role:
statements:
- Effect: Allow
Action:
- dynamodb:Scan
- dynamodb:Query
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:GetItem
Resource:
- "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}"
- "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}/index/sk-pk-index"
functions:
signup-api:
handler: handler.handler
events:
- http: ANY /
- http: 'ANY /{proxy+}'
resources:
Resources:
surveysTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:provider.environment.USERS_TABLE}
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
GlobalSecondaryIndexes:
- IndexName: sk-pk-index
KeySchema:
- AttributeName: sk
KeyType: HASH
- AttributeName: pk
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
以下是 lambda 尝试写入 dynamo 的方式:
module.exports.create = async function(body) {
const user_id = uuidv4
const profile_data = body['profile']
const putParams = {
TableName: tableName,
Item: {
'pk': 'USER#' + user_id,
'sk': 'PROFILE#' + user_id,
'profile_data': profile_data
}
}
try {
await dynamodb.put(putParams).promise()
return putParams.Item
} catch (error) {
console.log(error)
throw new Error(error)
}
}
在 lambda IAM 中,它看起来确实拥有所有权限:
但是当 运行 函数时出现此错误:
{
"errorType": "Runtime.UnhandledPromiseRejection",
"errorMessage": "Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
"reason": {
"errorType": "Error",
"errorMessage": "AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
"stack": [
"Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
" at Object.module.exports.create (/var/task/entities/users.js:27:15)",
" at processTicksAndRejections (internal/process/task_queues.js:97:5)"
]
},
"promise": {},
"stack": [
"Runtime.UnhandledPromiseRejection: Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
" at process.<anonymous> (/var/runtime/index.js:35:15)",
" at process.emit (events.js:314:20)",
" at process.EventEmitter.emit (domain.js:483:12)",
" at processPromiseRejections (internal/process/promises.js:209:33)",
" at processTicksAndRejections (internal/process/task_queues.js:98:32)"
]
}
策略适用于 eu-west-2
,但您尝试访问的资源位于 us-east-1
。
我有一个简单的 Node lambda 尝试使用无服务器框架将一些数据写入 DynamoDB table。
这是我的 serverless.yml:
frameworkVersion: '2'
custom:
tableName: 'users-table-${self:provider.stage}'
defaultRegion: eu-west-2
gitBranch: ${git:branch}
plugins:
- serverless-plugin-git-variables
provider:
name: aws
runtime: nodejs12.x
lambdaHashingVersion: '20201221'
stage: ${self:custom.gitBranch}
region: ${opt:region, self:custom.defaultRegion}
apiGateway:
shouldStartNameWithService: true
environment:
USERS_TABLE: ${self:custom.tableName}
iam:
role:
statements:
- Effect: Allow
Action:
- dynamodb:Scan
- dynamodb:Query
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:GetItem
Resource:
- "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}"
- "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.USERS_TABLE}/index/sk-pk-index"
functions:
signup-api:
handler: handler.handler
events:
- http: ANY /
- http: 'ANY /{proxy+}'
resources:
Resources:
surveysTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:provider.environment.USERS_TABLE}
AttributeDefinitions:
- AttributeName: pk
AttributeType: S
- AttributeName: sk
AttributeType: S
KeySchema:
- AttributeName: pk
KeyType: HASH
- AttributeName: sk
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
GlobalSecondaryIndexes:
- IndexName: sk-pk-index
KeySchema:
- AttributeName: sk
KeyType: HASH
- AttributeName: pk
KeyType: RANGE
Projection:
ProjectionType: ALL
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
以下是 lambda 尝试写入 dynamo 的方式:
module.exports.create = async function(body) {
const user_id = uuidv4
const profile_data = body['profile']
const putParams = {
TableName: tableName,
Item: {
'pk': 'USER#' + user_id,
'sk': 'PROFILE#' + user_id,
'profile_data': profile_data
}
}
try {
await dynamodb.put(putParams).promise()
return putParams.Item
} catch (error) {
console.log(error)
throw new Error(error)
}
}
在 lambda IAM 中,它看起来确实拥有所有权限:
但是当 运行 函数时出现此错误:
{
"errorType": "Runtime.UnhandledPromiseRejection",
"errorMessage": "Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
"reason": {
"errorType": "Error",
"errorMessage": "AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
"stack": [
"Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
" at Object.module.exports.create (/var/task/entities/users.js:27:15)",
" at processTicksAndRejections (internal/process/task_queues.js:97:5)"
]
},
"promise": {},
"stack": [
"Runtime.UnhandledPromiseRejection: Error: AccessDeniedException: User: arn:aws:sts::435300076014:assumed-role/webapp-signup-development-eu-west-2-lambdaRole/webapp-signup-development-signup-api is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:435300076014:table/users-table-development",
" at process.<anonymous> (/var/runtime/index.js:35:15)",
" at process.emit (events.js:314:20)",
" at process.EventEmitter.emit (domain.js:483:12)",
" at processPromiseRejections (internal/process/promises.js:209:33)",
" at processTicksAndRejections (internal/process/task_queues.js:98:32)"
]
}
策略适用于 eu-west-2
,但您尝试访问的资源位于 us-east-1
。