AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

huangapple go评论97阅读模式
英文:

AWS Lambda cannot Scan DyanmoDB table even when granted Read & Write permissions

问题

我的整个解决方案(基础设施代码和实际的 Lambda 函数)都是开源的

基本上,我想要一个 Go Lambda 函数,当调用时,它会查询 DynamoDB 表并获取所有项目。我知道在 DynamoDB 上使用 Scan 方法是危险的(想象一下如果表中有成千上万个项目),但是我知道我的表中只有 3 个项目,而且整个项目对我来说只是 AWS CDK(Go)的练习。

当我使用 cdk deploy --profile personal 部署我的基础设施时,一切都没有任何问题。

然而,当我尝试调用 Lambda 的 URL 时,我只是得到一个 null 返回。

当我检查 CloudWatch 日志时,我可以看到一个错误,错误消息说我的 Lambda 没有权限在 DynamoDB 表上执行 Scan 操作!至少这是我对错误消息的理解:

2022/09/11 15:32:30 无法扫描 DynamoDB 表!错误:操作错误 DynamoDB: Scan,https 响应错误 StatusCode: 400,RequestID: 8JTBR7LIJ6H6UERR0NSM1U28EBVV4KQNSO5AEMVJF66Q9ASUAAJG,api 错误 AccessDeniedException: User: arn:aws:sts::777650698697:assumed-role/GoTodoAppStack-FunctionServiceRole675BB04A-VIK6COW772H2/GoTodoAppStack-Function76856677-333lC1zqdKCi is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-west-2:777650698697:table/GoTodoAppStack-tasks86073811-5DY3UBZUCHI6 because no identity-based policy allows the dynamodb:Scan action

如果你仔细查看 cdk.go 文件,你会注意到我授予我的 Lambda 对 DynamoDB 表的读写权限。

// create a dynamodb table to store the tasks
table := awsdynamodb.NewTable(stack, jsii.String("tasks"), &awsdynamodb.TableProps{
	PartitionKey: &awsdynamodb.Attribute{
		Name: jsii.String("task_id"),
		Type: awsdynamodb.AttributeType_STRING},
	BillingMode:         awsdynamodb.BillingMode_PAY_PER_REQUEST,
	TimeToLiveAttribute: jsii.String("time_to_live"),
})

// add a global secondary index based on user_id
table.AddGlobalSecondaryIndex(&awsdynamodb.GlobalSecondaryIndexProps{
	IndexName:    jsii.String("user-index"),
	PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("user_id"), Type: awsdynamodb.AttributeType_STRING},
	SortKey:      &awsdynamodb.Attribute{Name: jsii.String("created_at"), Type: awsdynamodb.AttributeType_STRING},
})

// bundling options to make go fast
bundlingOptions := &awscdklambdagoalpha.BundlingOptions{
	GoBuildFlags: &[]*string{jsii.String(`-ldflags "-s -w" -tags lambda.norpc`)},
}

// creating the aws lambda
handler := awscdklambdagoalpha.NewGoFunction(stack, jsii.String("Function"), &awscdklambdagoalpha.GoFunctionProps{
	Architecture: awslambda.Architecture_ARM_64(),
	Entry:        jsii.String("../api/getitems/lambda"),
	Environment:  &map[string]*string{"DYNAMODB_TABLENAME": table.TableName()},
	Bundling:     bundlingOptions,
	MemorySize:   jsii.Number(1024),
	Timeout:      awscdk.Duration_Millis(jsii.Number(15000)),
})

// grant dynamodb read write permissions to the lambda
table.GrantReadWriteData(handler)

我很困惑。有人知道为什么在尝试在 DynamoDB 表上运行 Scan 操作时会出现该错误消息吗?

更新

这是我的 Lambda 的权限选项卡的截图:

AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

如果我点击与 Lambda 关联的执行角色的链接,我会得到:

AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

你可以看到,它有正确的权限!

英文:

My whole solution (infrastructure code and the actual lambda) are all open-source.

Basically, I want a Go lambda that when called would query a dynamodb table and get all items. I know the Scan method is dangerous on DynamoDB (imagine you had 1000s of table items), but I know I only have 3 items in the table and this whole project is just an exercise in AWS CDK (Go) for me.

When I deploy my infrastructure with cdk deploy --profile personal, all is deployed without any issues.

However, when I try to call the the lambda URL, I simply get a null back.

AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

When I check the CloudWatch logs, I can see an error, and the error message says that my lambda does not have permissions to do a Scan on my DynamoDB table! At least that's my understanding of the error message:

> 2022/09/11 15:32:30 could not scan the dyanmodb table! error: operation error DynamoDB: Scan, https response error StatusCode: 400, RequestID: 8JTBR7LIJ6H6UERR0NSM1U28EBVV4KQNSO5AEMVJF66Q9ASUAAJG, api error AccessDeniedException: User: arn:aws:sts::777650698697:assumed-role/GoTodoAppStack-FunctionServiceRole675BB04A-VIK6COW772H2/GoTodoAppStack-Function76856677-333lC1zqdKCi is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-west-2:777650698697:table/GoTodoAppStack-tasks86073811-5DY3UBZUCHI6 because no identity-based policy allows the dynamodb:Scan action

If you take a close look at the cdk.go file, you'll notice that I am granting my lambda read and write permissions to the dynamodb table.

// create a dynamodb table to store the tasks
table := awsdynamodb.NewTable(stack, jsii.String("tasks"), &awsdynamodb.TableProps{
	PartitionKey: &awsdynamodb.Attribute{
		Name: jsii.String("task_id"),
		Type: awsdynamodb.AttributeType_STRING},
	BillingMode:         awsdynamodb.BillingMode_PAY_PER_REQUEST,
	TimeToLiveAttribute: jsii.String("time_to_live"),
})

// add a global secondary index based on user_id
table.AddGlobalSecondaryIndex(&awsdynamodb.GlobalSecondaryIndexProps{
	IndexName:    jsii.String("user-index"),
	PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("user_id"), Type: awsdynamodb.AttributeType_STRING},
	SortKey:      &awsdynamodb.Attribute{Name: jsii.String("created_at"), Type: awsdynamodb.AttributeType_STRING},
})

// bundling options to make go fast
bundlingOptions := &awscdklambdagoalpha.BundlingOptions{
	GoBuildFlags: &[]*string{jsii.String(`-ldflags "-s -w" -tags lambda.norpc`)},
}

// creating the aws lambda
handler := awscdklambdagoalpha.NewGoFunction(stack, jsii.String("Function"), &awscdklambdagoalpha.GoFunctionProps{
	Architecture: awslambda.Architecture_ARM_64(),
	Entry:        jsii.String("../api/getitems/lambda"),
	Environment:  &map[string]*string{"DYNAMODB_TABLENAME": table.TableName()},
	Bundling:     bundlingOptions,
	MemorySize:   jsii.Number(1024),
	Timeout:      awscdk.Duration_Millis(jsii.Number(15000)),
})

// grant dynamodb read write permissions to the lambda
table.GrantReadWriteData(handler)

I am confused. Anyone any ideas why I get that error message when trying to run a Scan on the DynamoDB table?

UPDATE

Here is a screenshot of the Permissions tab on my Lambda:

AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

If I then click the link to the Execution Role associated with the Lambda, I get:

AWS Lambda即使被授予读写权限,也无法扫描DynamoDB表。

As you can see, it has the right permissions!

答案1

得分: 4

您提供的错误日志和IAM角色上的AWS区域不同。错误日志上的区域是us-west-2,但角色权限上的区域是eu-west-2

看起来您在lambda处理程序的/main/api/getitems/handler.go的第31行中硬编码了区域。

英文:

The AWS region is different on the error log you provided and on the IAM role. The region on the error is us-west-2 but the region on the role permissions is eu-west-2.

It seems that you hardcoded the region on your lambda handler in /main/api/getitems/handler.go line 31.

huangapple
  • 本文由 发表于 2022年9月11日 23:38:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/73680560.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定