Menu
I am using sam to define a dynamodb table as such:
#DynamoTables
DevicesTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: devices
AttributeDefinitions:
-
AttributeName: "id"
AttributeType: "S"
-
AttributeName: "customerId"
AttributeType: "S"
KeySchema:
-
AttributeName: "id"
KeyType: "HASH"
-
AttributeName: "customerId"
KeyType: "RANGE"
GlobalSecondaryIndexes:
-
IndexName: "customers"
KeySchema:
-
AttributeName: "customerId"
KeyType: "HASH"
Projection:
ProjectionType: "ALL"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
I am able to access the table using a lambda function with Properties: Policies: AmazonDynamoDBFullAccess defined in sam and defining the put params using the TableName: 'devices' in node. However, when I attempt to query the index by defining the query on an index as such:
params = {
TableName: 'devices',
IndexName: 'customers'
// ...
}
I get an error stating the lambda function does not have permissions to access that index:
AccessDeniedException: User: User: arn:aws:sts:::assumed-role/CodeStarWorker-Lambda/awscodestar-lambda-DeviceFunction is not authorized to perform: dynamodb:Query on resource: TABLEURL/devices/index/customers
Anyone know a way I can grant this access or work around this to query the index?
UPDATE:
I don't think the AmazonDynamoDBFullAccess policy is affecting things, when I removed it from the template.yml i was still able to put to the table and still unable to query on the index. Do I have to manually add roles?
525
Global secondary index—An index with a partition key and a sort key that can be different from those on the base table. A global secondary index is considered "global" because queries on the index can span all of the data in the base table, across all partitions.
In a DynamoDB table, each key value must be unique. However, the key values in a global secondary index do not need to be unique.
To add a global secondary index to an existing table, use the UpdateTable operation with the GlobalSecondaryIndexUpdates parameter. You must provide the following: An index name. The name must be unique among all the indexes on the table.
If the value of a global secondary index key attribute is null or empty, it is better to just skip the attribute when writing it. Because global secondary indexes are stored separately, if you skip writing null or empty attributes they are not projected to the global secondary index, saving storage and write cost.
Your lambda has access to TABLEURL/devices but not to TABLEURL/devices/index/customers.
Here is an examplefrom aws docs on how to do allow access to all indexes of a db.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessAllIndexesOnBooks",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Books",
"arn:aws:dynamodb:us-west-2:123456789012:table/Books/index/*"
]
}
]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
