I have deployed a SAM template with lambda to use an existing dynamo database. The template:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
myTable:
Description: table ARN
Type: String
Resources:
createData:
Type: AWS::Serverless::Function
Properties:
CodeUri: src/myApp
Handler: com.xxx.App::handleRequest
Runtime: java11
Architectures:
- x86_64
MemorySize: 512
Environment:
Variables:
PARAM1: VALUE
JAVA_TOOL_OPTIONS: -XX:+TieredCompilation -XX:TieredStopAtLevel=1
Events:
apiPut:
Type: Api
Properties:
Path: /myapp
Method: put
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref myTable
When I deploy de app, i insert the param myTable ARN: arn:aws:dynamodb:eu-central-1:XXXXXXXXXX:table/TABLE_NAME. When I call the api, i have an error because lambda dont have permissions to putItem in dynamoDB:
User: arn:aws:sts::XXXXXXXXXX:assumed-role/APP_ROLE/LAMBDA_APP is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:eu-central-1:XXXXXXXXXX:table/TABLE_NAME because no identity-based policy allows the dynamodb:PutItem action
Why?
You should simply provide only the TableName not the entire ARN for DynamoDBCrudPolicy
https://github.com/aws/serverless-application-model/blob/develop/docs/policy_templates.rst