2

I'm using AWS Lambda as root account. but when I try to add dynamo-db as trigger in lambda, AWS said some authority errors occurred.

Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions on your stream in IAM.

I'm using root account, why authority error occurred? I want to use root account

Improve this question

2 Answers 2

Reset to default
1

i'm using root account, why authority error occurred? i want to use root account

Your functions, uses lambda execute role, your IAM user/root permissions do not apply here. You have to updated the execution role with DyndamoDB permissions.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Lambda functions used execution role to access AWS services and resources, this can be set in the lambda creation wizard or in the cloud formation script

Step 1. Role: !GetAtt DeleteAppConfigurationsLambdaRole.Arn . Details [here][1].

example.

Lets create a Dynamodb Table as below by CFN script with stream enabled.

DynamoDBTable:
Type: 'AWS::DynamoDB::Table'
DeletionPolicy: Retain
Properties:
   AttributeDefinitions:
    -
      AttributeName: "id"
      AttributeType: "S"
   KeySchema:
    -
      AttributeName: "id"
      KeyType: "HASH"
   TableName: DynamoDBTable

   SSESpecification:
      SSEEnabled: true

   StreamSpecification:
      StreamViewType: "NEW_AND_OLD_IMAGES"

Then create a lambda execution role which has access to the stream as below,

DynamoDBStreamLambdaRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Statement:
    - Action:
      - sts:AssumeRole
      Effect: Allow
      Principal:
        Service:
        - lambda.amazonaws.com
    Version: '2012-10-17'
  Path: /
  RoleName:  "IAM-ROLE-DynamoDBStreamLambdaRole"
  Policies:
  - PolicyDocument:
      Statement:
      - Action:
        - dynamodb:DescribeStream
        - dynamodb:GetRecords
        - dynamodb:GetShardIterator
        - dynamodb:ListStreams
        Effect: Allow
        Resource: !GetAtt DynamoDBTable.StreamArn

      Version: '2012-10-17'
    PolicyName: "IAM-POLICY-DynamoDBStreamLambdaStreamaccess"
  ManagedPolicyArns:
    - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"

Then you can attach this role to the lambda as described in step 1. [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-role

Improve this answer

1 Comment

What makes you think OP uses Cloudformation?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.