使用用 Python 编写的 lambda 函数在 DynamoDB 中创建 table 需要什么权限?
What permissions are needed to create a table in DynamoDB using a lambda function written in Python?
我目前正在尝试创建一个需要能够在 DynamoDB 中动态创建表的 API,每当我尝试测试它时都会收到此错误。
目前,分配给此功能的角色使用 lambda 的基本执行角色以及对 DynamoDB 的完全访问权限。是否缺少导致此错误的角色,或者完全是其他原因?
错误:
{
"errorMessage": "An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::**[myacctnumber]**:assumed-role/lambdaRole/myTest is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-2:**[myacctnumber]**:table/192.168.200.0/24",
"errorType": "ClientError",
"stackTrace": [
" File \"/var/task/reqTest.py\", line 63, in main\n table = db.create_table(\n",
" File \"/var/runtime/boto3/resources/factory.py\", line 520, in do_action\n response = action(self, *args, **kwargs)\n",
" File \"/var/runtime/boto3/resources/action.py\", line 83, in __call__\n response = getattr(parent.meta.client, operation_name)(*args, **params)\n",
" File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 676, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
节目:
import json, boto3, ipaddress, requests, sys, meraki, os
from ipaddress import IPv4Network
def main(event, context):
db = boto3.resource('dynamodb', region)
method = event['httpMethod']
if method == 'GET':
name = '192.168.200.0/24'
table = db.create_table(
TableName= name,
KeySchema=[
{
'AttributeName': 'CIDR',
'KeyType': 'HASH' # Partition key
},
{
'AttributeName': 'availability',
'KeyType': 'RANGE' # Sort key
}
],
AttributeDefinitions=[
{
'AttributeName': 'CIDR',
'AttributeType': 'S'
},
{
'AttributeName': 'availability',
'AttributeType': 'S'
},
],
ProvisionedThroughput={
'ReadCapacityUnits': 10,
'WriteCapacityUnits': 10
}
)
return {
'statusCode': 200,
'body': 'success'
}
我在各种文档中找到了这个示例代码,并将其用作基础,但它从未提及 lambda 应该具有哪些权限才能正确执行它们:
table = dynamodb.create_table(
AttributeDefinitions=[
{
'AttributeName': 'string',
'AttributeType': 'S'|'N'|'B'
},
],
TableName='string',
KeySchema=[
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
LocalSecondaryIndexes=[
{
'IndexName': 'string',
'KeySchema': [
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
'Projection': {
'ProjectionType': 'ALL'|'KEYS_ONLY'|'INCLUDE',
'NonKeyAttributes': [
'string',
]
}
},
],
GlobalSecondaryIndexes=[
{
'IndexName': 'string',
'KeySchema': [
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
'Projection': {
'ProjectionType': 'ALL'|'KEYS_ONLY'|'INCLUDE',
'NonKeyAttributes': [
'string',
]
},
'ProvisionedThroughput': {
'ReadCapacityUnits': 123,
'WriteCapacityUnits': 123
}
},
],
BillingMode='PROVISIONED'|'PAY_PER_REQUEST',
ProvisionedThroughput={
'ReadCapacityUnits': 123,
'WriteCapacityUnits': 123
},
StreamSpecification={
'StreamEnabled': True|False,
'StreamViewType': 'NEW_IMAGE'|'OLD_IMAGE'|'NEW_AND_OLD_IMAGES'|'KEYS_ONLY'
},
SSESpecification={
'Enabled': True|False,
'SSEType': 'AES256'|'KMS',
'KMSMasterKeyId': 'string'
},
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
您在调用 CreateTable 时错误地将 192.168.200.0/24 的 CIDR 指定为 table 名称。这不是一个有效的 table 名称。
我目前正在尝试创建一个需要能够在 DynamoDB 中动态创建表的 API,每当我尝试测试它时都会收到此错误。
目前,分配给此功能的角色使用 lambda 的基本执行角色以及对 DynamoDB 的完全访问权限。是否缺少导致此错误的角色,或者完全是其他原因?
错误:
{
"errorMessage": "An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::**[myacctnumber]**:assumed-role/lambdaRole/myTest is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-2:**[myacctnumber]**:table/192.168.200.0/24",
"errorType": "ClientError",
"stackTrace": [
" File \"/var/task/reqTest.py\", line 63, in main\n table = db.create_table(\n",
" File \"/var/runtime/boto3/resources/factory.py\", line 520, in do_action\n response = action(self, *args, **kwargs)\n",
" File \"/var/runtime/boto3/resources/action.py\", line 83, in __call__\n response = getattr(parent.meta.client, operation_name)(*args, **params)\n",
" File \"/var/runtime/botocore/client.py\", line 357, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 676, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
节目:
import json, boto3, ipaddress, requests, sys, meraki, os
from ipaddress import IPv4Network
def main(event, context):
db = boto3.resource('dynamodb', region)
method = event['httpMethod']
if method == 'GET':
name = '192.168.200.0/24'
table = db.create_table(
TableName= name,
KeySchema=[
{
'AttributeName': 'CIDR',
'KeyType': 'HASH' # Partition key
},
{
'AttributeName': 'availability',
'KeyType': 'RANGE' # Sort key
}
],
AttributeDefinitions=[
{
'AttributeName': 'CIDR',
'AttributeType': 'S'
},
{
'AttributeName': 'availability',
'AttributeType': 'S'
},
],
ProvisionedThroughput={
'ReadCapacityUnits': 10,
'WriteCapacityUnits': 10
}
)
return {
'statusCode': 200,
'body': 'success'
}
我在各种文档中找到了这个示例代码,并将其用作基础,但它从未提及 lambda 应该具有哪些权限才能正确执行它们:
table = dynamodb.create_table(
AttributeDefinitions=[
{
'AttributeName': 'string',
'AttributeType': 'S'|'N'|'B'
},
],
TableName='string',
KeySchema=[
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
LocalSecondaryIndexes=[
{
'IndexName': 'string',
'KeySchema': [
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
'Projection': {
'ProjectionType': 'ALL'|'KEYS_ONLY'|'INCLUDE',
'NonKeyAttributes': [
'string',
]
}
},
],
GlobalSecondaryIndexes=[
{
'IndexName': 'string',
'KeySchema': [
{
'AttributeName': 'string',
'KeyType': 'HASH'|'RANGE'
},
],
'Projection': {
'ProjectionType': 'ALL'|'KEYS_ONLY'|'INCLUDE',
'NonKeyAttributes': [
'string',
]
},
'ProvisionedThroughput': {
'ReadCapacityUnits': 123,
'WriteCapacityUnits': 123
}
},
],
BillingMode='PROVISIONED'|'PAY_PER_REQUEST',
ProvisionedThroughput={
'ReadCapacityUnits': 123,
'WriteCapacityUnits': 123
},
StreamSpecification={
'StreamEnabled': True|False,
'StreamViewType': 'NEW_IMAGE'|'OLD_IMAGE'|'NEW_AND_OLD_IMAGES'|'KEYS_ONLY'
},
SSESpecification={
'Enabled': True|False,
'SSEType': 'AES256'|'KMS',
'KMSMasterKeyId': 'string'
},
Tags=[
{
'Key': 'string',
'Value': 'string'
},
]
)
您在调用 CreateTable 时错误地将 192.168.200.0/24 的 CIDR 指定为 table 名称。这不是一个有效的 table 名称。