Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException

I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here:

DynamoDBMapper

 AmazonServiceException: User: arn:aws:sts::[My Account
 ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession
 is not authorized to perform: dynamodb:DescribeTable on resource:
 arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service:
 AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
 Request ID: BBFTS0Q8UHTMG120IORC2KSASVVV4KQNSO5AEMVJF66Q9ASUAAJG)

Everything is more or less the same, the only things I've changed have been changing the DBclient region to US_EAST_1, where my test table is hosted and modifying the Constants file using the info from the 'Amazon Cognito Starter Code' page that is generated through following the Cognito get started documentation.

sdkforandroid-cognito-auth

For my Cognito_AndroidAppUnauth_DefaultRole role policy I modified the default mobile analytics and sync service permission to also include access of all actions on all tables, existing or not:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CognitoPolicy",
            "Action": [
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DynamoDBPolicy",
            "Effect": "Allow",
            "Action": [
                "dynamodb: *"
            ],
            "Resource": "*"
        }
    ]
}

So why is it claiming that it doesn't have permission when the correct region is used and the Unauth policy should allow for table access?

EDIT: Stacktrace when calling a method on the DynamoDB resource (create table), should it prove useful

   com.amazonaws.AmazonServiceException: User: arn:aws:sts::[My Account ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: SDELNSMLO10EV7CM2STC1R9RU3VV4KQNSO5AEMVJF66Q9ASUAAJG)
            at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(Unknown Source)
            at com.amazonaws.http.AmazonHttpClient.executeHelper(Unknown Source)
            at com.amazonaws.http.AmazonHttpClient.execute(Unknown Source)
            at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(Unknown Source)
            at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.createTable(Unknown Source)
            at com.amazonaws.demo.userpreferencesom.DynamoDBManager.createTable(DynamoDBManager.java:72)
            at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:99)
            at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:85)
            at android.os.AsyncTask$2.call(AsyncTask.java:288)
            at java.util.concurrent.FutureTask.run(FutureTask.java:237)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
            at java.lang.Thread.run(Thread.java:841)
like image 747
Kurt Wagner Avatar asked Jul 15 '14 18:07

Kurt Wagner


1 Answers

Worked with an Amazon engineer and it turns out the problem was in the policy configuration:

"dynamodb: *"

should be

"dynamodb:*"

It's amazing what a space can do.

like image 111
Kurt Wagner Avatar answered Oct 20 '22 01:10

Kurt Wagner