我尝试通过AWS中的boto3 (Python)访问dynamodb。在我的本地机器上安装了这个。据我所知,在AWS运行中,它只使用IAM角色来访问。但这行不通。
Lambda execution failed with status 200 due to customer function error: An error occurred (AccessDeniedException) when calling the Scan operation:
User: arn:aws:sts::021517822274:assumed-role/CodeStar-tt-api-subjects-Execution/
awscodestar-tt-api-subjects-lambda-HelloWorld is not authorized to perform: dynamodb:
Scan on resource: arn:aws:dynamodb:us-east-1:021517822274:table/tt-subjects.
同样的问题被发送到这里:
如何解决(AccessDeniedException)调用Scan操作时:User: arn:aws:sts…未被授权执行:dynamodb:Scan on resource. "?
我应用了建议的AmazonDynamoDBFullAccess政策。try also those:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_specific-table.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html
我自己添加的策略(另外)是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Action": [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": "*"
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/tt-subjects"
}
]
}
但是我还是得到了同样的错误。
是否需要很长时间才能应用这些策略,或者还有什么可能导致这种情况?
现在我找到了答案。当我用codestar创建lambda时,它也创建了一个权限边界。
如何解决这个问题:
- 删除边界(不推荐)
- 扩展边界,如下:
编辑lambda的边界:
- 打开Lambda控制台
- 转到选项卡configuration
- 在执行角色中,打开指向角色 的链接
- 现在您进入了IAM角色编辑器。向下滚动到权限边界
- 复制该名称(没有链接)
- 进入IAM菜单到Policies
- 查找复制的名称
- 编辑(扩展)策略
对于dynamodb,我向下滚动到第6页(可能对您有所不同)。它是一个允许块,有许多简单的条目和一个*作为资源。
所以我用dynamodb条目扩展了这个块。现在看起来是这样的:
...
{
"Sid": "6",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"ec2:Describe*",
"lambda:ListFunctions",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:PutLogEvents",
"sns:Get*",
"sns:List*",
"sns:Publish",
"sns:Subscribe",
"xray:Put*",
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem",
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": [
"*"
]
},
...
非常感谢帮助我的贡献者!