AWS Lambda cannot Scan DyanmoDB table even when granted Read & Write permissions

My whole solution (infrastructure code and the actual lambda) are all open-source.

Basically, I want a Go lambda that when called would query a dynamodb table and get all items. I know the Scan method is dangerous on DynamoDB (imagine you had 1000s of table items), but I know I only have 3 items in the table and this whole project is just an exercise in AWS CDK (Go) for me.

When I deploy my infrastructure with cdk deploy --profile personal, all is deployed without any issues.

However, when I try to call the the lambda URL, I simply get a null back.

When I check the CloudWatch logs, I can see an error, and the error message says that my lambda does not have permissions to do a Scan on my DynamoDB table! At least that's my understanding of the error message:

> 2022/09/11 15:32:30 could not scan the dyanmodb table! error: operation error DynamoDB: Scan, https response error StatusCode: 400, RequestID: 8JTBR7LIJ6H6UERR0NSM1U28EBVV4KQNSO5AEMVJF66Q9ASUAAJG, api error AccessDeniedException: User: arn:aws:sts::777650698697:assumed-role/GoTodoAppStack-FunctionServiceRole675BB04A-VIK6COW772H2/GoTodoAppStack-Function76856677-333lC1zqdKCi is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-west-2:777650698697:table/GoTodoAppStack-tasks86073811-5DY3UBZUCHI6 because no identity-based policy allows the dynamodb:Scan action

If you take a close look at the cdk.go file, you'll notice that I am granting my lambda read and write permissions to the dynamodb table.

// create a dynamodb table to store the tasks
table := awsdynamodb.NewTable(stack, jsii.String("tasks"), &awsdynamodb.TableProps{
	PartitionKey: &awsdynamodb.Attribute{
		Name: jsii.String("task_id"),
		Type: awsdynamodb.AttributeType_STRING},
	BillingMode:         awsdynamodb.BillingMode_PAY_PER_REQUEST,
	TimeToLiveAttribute: jsii.String("time_to_live"),
})

// add a global secondary index based on user_id
table.AddGlobalSecondaryIndex(&awsdynamodb.GlobalSecondaryIndexProps{
	IndexName:    jsii.String("user-index"),
	PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("user_id"), Type: awsdynamodb.AttributeType_STRING},
	SortKey:      &awsdynamodb.Attribute{Name: jsii.String("created_at"), Type: awsdynamodb.AttributeType_STRING},
})

// bundling options to make go fast
bundlingOptions := &awscdklambdagoalpha.BundlingOptions{
	GoBuildFlags: &[]*string{jsii.String(`-ldflags "-s -w" -tags lambda.norpc`)},
}

// creating the aws lambda
handler := awscdklambdagoalpha.NewGoFunction(stack, jsii.String("Function"), &awscdklambdagoalpha.GoFunctionProps{
	Architecture: awslambda.Architecture_ARM_64(),
	Entry:        jsii.String("../api/getitems/lambda"),
	Environment:  &map[string]*string{"DYNAMODB_TABLENAME": table.TableName()},
	Bundling:     bundlingOptions,
	MemorySize:   jsii.Number(1024),
	Timeout:      awscdk.Duration_Millis(jsii.Number(15000)),
})

// grant dynamodb read write permissions to the lambda
table.GrantReadWriteData(handler)

I am confused. Anyone any ideas why I get that error message when trying to run a Scan on the DynamoDB table?

UPDATE

Here is a screenshot of the Permissions tab on my Lambda:

If I then click the link to the Execution Role associated with the Lambda, I get:

As you can see, it has the right permissions!

The AWS region is different on the error log you provided and on the IAM role. The region on the error is us-west-2 but the region on the role permissions is eu-west-2.

It seems that you hardcoded the region on your lambda handler in /main/api/getitems/handler.go line 31.