AWS Codestar - DynamoDB Not Authorized - amazon-web-services

I have a codestar project that calls a python lambda function. This function tries to put an item into the DynamoDB. I am getting the following error:
"errorMessage": "An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::13556632xxxx:assumed-role/CodeStar-split-lambda-Execution/awscodestar-split-lambda-lambda-CreateUser-RBA73BJH7NHY is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:1355663xxxx:table/split-users"
}
I included the AmazonDynamoDBFullAccess, AWSLambdaBasicExecutionRole, and AWSLambdaInvocation-DynamoDB policies on the CodeStar-split-lambda-Execution role, and I am still getting the error.
I also made my own policy and tried it too.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:13556632xxxx:table/split-users"
]
}
]
}
How can I get dynamoDB to have authorization to put an item?

Related

Invoke specific lambda function

I have multiple users and lambda functions in my AWS account, as an example user1, user2, user3, user4 and have the same name for lambda function as well.
I have created the following policy to invoke the Lambda function, but I am getting a following error:
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:111111111111:function:${aws.username}"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111111111111:role/lambda_role",
"arn:aws:lambda:us-west-2:111111111111:function:*"
]
}
]
}
I can create the function without any issue but when I try to invoke the Lambda function, I am getting an error message. However, the policy is attached to the user account.
An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam:: 111111111111:user/user1 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2: 111111111111:function:user1 because no identity-based policy allows the lambda:InvokeFunction action

Error while accessing the Parameter Store strings from AWS lambda function

I am using the Parameter Store from AWS to store String parameter values.
I am using the following code while fetching the Params from the Lambda function:
const ssm = require('aws-sdk/clients/ssm');
const getConfig = (prefix) => {
return ssm.getParameter({ Name: `/${prefix}/config`}).promise()
.then(resp => JSON.parse(resp.Parameter.Value))
.catch(err => console.error(err));
};
But I am constantly getting the following error while running the Lambda from the AWS Console:
ERROR AccessDeniedException: User: arn:aws:sts::XXX:assumed-role/lambdaExecutionRole is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXX:parameter/get/getValue
I tried to add the Administrator access to the role: lambdaExecutionRole, but now getting this error:
ERROR SyntaxError: Unexpected token h in JSON at position 0
at JSON.parse (<anonymous>)
at /var/task/myFile.js:2:955529
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Runtime.e.handler (/var/task/myFile.js:2:1065241)
I have even tried to add the ssm permissions following this doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "GetParam1",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
- An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
- An error occurred: Has prohibited field Resource
Any Idea what I might be missing here? Thanks in advance.
ERROR SyntaxError: Unexpected token h in JSON at position 0
when you add Administrator permissions tells information you are getting from the parameter store and passing eventually to JSON.parse with resp.Parameter.Value is not proper.
Your policy as well is wrong, you are mixing IAM Policy with Trust Policy. They should be separately defined.
Roles terms and concepts
Trust Policy for your lambda IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
IAM Policy for Lambda IAM Role* to allow access to SSM Parameter Store**
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetParam1",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
That's the reason for these errors
An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
An error occurred: Has prohibited field Resource

AWS cognito access denied exception

I am trying to view an AWS kinesis video stream on a local web page. However, I keep getting this error.
AccessDeniedException: User: arn:aws:sts::XXXXXXXXX:assumed-role/XXXXXXXX/CognitoIdentityCredentials is not authorized to perform: kinesisvideo:GetDataEndpoint on resource: XXXX
Here is the policy used for the associated IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"kinesisvideo:*",
"sts:*"
],
"Resource": [
"*"
]
}
]
}
I am using an unauthenticated Cognito role.
I also get a similar exception for sts:assumeRole.
What am I doing wrong?

How to grant Athena query permission to a Lambda function?

I have an AWS Lambda function which queries an Amazon Athena database. But I get a permission error when executing the Lambda function:
An error occurred (AccessDeniedException) when calling the GetQueryExecution operation: User: arn:aws:sts::773592622512:assumed-role/lambda_access-role/reddit_monitor is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:ap-southeast-2:773592622512:workgroup/primary: ClientError
I have created this policy for the Lambda function:
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.athena-bucket}",
"arn:aws:s3:::${var.athena-bucket}/*"
]
}
]
}
I wonder why it still doesn't have permission to query Athena? Have I missed anything here?
You granted athena:StartQueryExecution instead of athena:GetQueryExecution.

aws cloudfront permissions

I'm trying to allow a group i defined to have invalidation privliges
I defined a policy on the group that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1511787279000",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": [
"*"
]
}
]
}
ultimately i'd like to lock the resource down to specific Cloudfront arns. but even at this point it doesn't work. when i use the aws cli tool i get
An error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:iam::5555555555:user/username is not authorized to perform: cloudfront:CreateInvalidation
What am i doing wrong?