InvalidParameterValueException:无法访问流
InvalidParameterValueException: Cannot access stream
我正在尝试使用 Terraform 创建 dynamodb table 和 lambda 触发器。这就是我定义 table、角色策略和 lambda 触发器的方式:
resource "aws_dynamodb_table" "filenames" {
name = local.dynamodb_table_filenames
billing_mode = "PROVISIONED"
read_capacity = 1000
write_capacity = 1000
hash_key = "filename"
stream_enabled = true
stream_view_type = "NEW_IMAGE"
#range_key = ""
attribute {
name = "filename"
type = "S"
}
tags = var.tags
}
resource "aws_iam_role_policy" "dynamodb_policy" {
policy = jsonencode(
{
Version: "2012-10-17",
Statement: [
{
Action: [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream",
"dynamodb:ListShards",
"dynamodb:ListStreams",
],
Effect: "Allow",
Resource: aws_dynamodb_table.filenames.arn
}
]
}
)
role = aws_iam_role.processing_lambda_role.id
}
resource "aws_lambda_event_source_mapping" "allow_dynamodb_table_to_trigger_lambda" {
event_source_arn = aws_dynamodb_table.filenames.stream_arn
function_name = aws_lambda_function.trigger_stepfunction_lambda.arn
starting_position = "LATEST"
}
即使我已经在角色中添加了相关策略,我仍然收到此错误:
error creating Lambda Event Source Mapping (arn:aws:dynamodb:eu-central-12:table/tablename/stream): InvalidParameterValueException: Cannot access stream arn:aws:dynamodb:eu-central-1:299093934558:table/4tablename/stream. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions on your stream in IAM.
我该如何解决这个问题?
流操作适用于流,不适用于表。流的 ARN 的 form 为:
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}
因此,您应该使用(或等效的东西):
Resource: "${aws_dynamodb_table.filenames.arn}/stream/*"
或更一般:
Resource: "${aws_dynamodb_table.filenames.arn}/*"
我正在尝试使用 Terraform 创建 dynamodb table 和 lambda 触发器。这就是我定义 table、角色策略和 lambda 触发器的方式:
resource "aws_dynamodb_table" "filenames" {
name = local.dynamodb_table_filenames
billing_mode = "PROVISIONED"
read_capacity = 1000
write_capacity = 1000
hash_key = "filename"
stream_enabled = true
stream_view_type = "NEW_IMAGE"
#range_key = ""
attribute {
name = "filename"
type = "S"
}
tags = var.tags
}
resource "aws_iam_role_policy" "dynamodb_policy" {
policy = jsonencode(
{
Version: "2012-10-17",
Statement: [
{
Action: [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream",
"dynamodb:ListShards",
"dynamodb:ListStreams",
],
Effect: "Allow",
Resource: aws_dynamodb_table.filenames.arn
}
]
}
)
role = aws_iam_role.processing_lambda_role.id
}
resource "aws_lambda_event_source_mapping" "allow_dynamodb_table_to_trigger_lambda" {
event_source_arn = aws_dynamodb_table.filenames.stream_arn
function_name = aws_lambda_function.trigger_stepfunction_lambda.arn
starting_position = "LATEST"
}
即使我已经在角色中添加了相关策略,我仍然收到此错误:
error creating Lambda Event Source Mapping (arn:aws:dynamodb:eu-central-12:table/tablename/stream): InvalidParameterValueException: Cannot access stream arn:aws:dynamodb:eu-central-1:299093934558:table/4tablename/stream. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions on your stream in IAM.
我该如何解决这个问题?
流操作适用于流,不适用于表。流的 ARN 的 form 为:
arn:${Partition}:dynamodb:${Region}:${Account}:table/${TableName}/stream/${StreamLabel}
因此,您应该使用(或等效的东西):
Resource: "${aws_dynamodb_table.filenames.arn}/stream/*"
或更一般:
Resource: "${aws_dynamodb_table.filenames.arn}/*"