Search code examples
amazon-web-servicesaws-cloudformationserverlessamazon-timestream

Access Denied Error while inserting into Aws Timestream on Serverless Stack

I'm trying insert a record into my aws timestream table. And its getting resulted in a access denied error.

Here is the permission on serverless.yml

    - Effect: Allow
      Action:
        - timestream:*
      Resource:
        - arn:aws:timestream:${self:provider.region}:*:database/*
        - arn:aws:timestream:${self:provider.region}:*:database/*/*/*

Iam role detail for the lambda.

{
            "Action": [
                "timestream:*"
            ],
            "Resource": [
                "arn:aws:timestream:us-east-1:*:database/*",
                "arn:aws:timestream:us-east-1:*:database/*/*/*"
            ],
            "Effect": "Allow"
        },

Record Sample

{
    "DatabaseName": "developmentreportsdb",
    "TableName": "developmenteventstable",
    "Records": [
        {
            "Dimensions": [
                {
                    "Name": "accountId",
                    "Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
                },
                {
                    "Name": "userId",
                    "Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
                }
            ],
            "MeasureName": "ACCOUNT.NEW",
            "MeasureValue": "6921e43e-266c-4adf-8a69-d90bd8743d1b",
            "MeasureValueType": "VARCHAR",
            "Time": "1644234263813",
            "TimeUnit": "MILLISECONDS",
            "Version": 1
        }
    ]
}

Error Details:

Error writing records: AccessDeniedException: User: arn:aws:sts::344128203239:assumed-role/development-us-east-1-lambdaRole/development-worker is not authorized to perform: timestream:DescribeEndpoints because no identity-based policy allows the timestream:DescribeEndpoints action

TIA. What is missing here?

Solution

  • Describe endpoint permission is required to resolve the endpoint where timestream SDK has to connect. It is required for both read and write access.

    Following example for a policy where only read access is permitted to the user

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "timestream:Select",
        "Resource": "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}

    Here is an example minimum permissions required of only write access to the user

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "timestream:WriteRecords"
        ],
        "Resource": [
            "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}

    Here is an example where user has both permissions (Read + Write)

        {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "timestream:WriteRecords",
            "timestream:Select"
        ],
        "Resource": [
            "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}