0

我收到此错误:

"message": "User: arn:aws:sts::XXXXX:assumed-role/lambda-my-account-dev-us-east-2-lambdaRole/lambda-my-account-dev-my-account is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-2:XXXX:table/dev-app-transactions/index/transactionsByUserId",

我对授予表权限感到困惑。在serverless.yml我有:

service: lambda-my-account
provider:
  name: aws
  runtime: nodejs12.x
  region: ${opt:region, 'us-east-2'}
  stage: ${opt:stage, 'dev'}
  tags:
    datadog: ${self:provider.stage}
  environment:
    // some enviroments
  iamRoleStatements:
    - Effect: Allow
      Action:
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:PutLogEvents
      Resource: "arn:aws:logs:*:*:*"
    - Effect: Allow
      Action:
        - dynamodb:Query
      Resource:
        - "arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}"

// rest of file

为什么我会收到这个错误?

有没有resources我没有配置的?我认为问题出在我的那个表的索引上。我是在 AWS 控制台上手动完成的,但我不确定是否也需要在serverless.yml文件中进行配置。

在此处输入图像描述

4

1 回答 1

0

您还需要授予您的角色dynamodb:Query对索引本身的权限。您可以添加如下资源语句:

"arn:aws:dynamodb:${self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE_TRANSACTIONS}/index/transactionsByUserId"到该iamRoleStatements部分。

于 2020-09-08T12:44:41.173 回答