尝试执行DynamoDB时的AccessDeniedException：PutItem Action

发布于 2025-02-05 09:25:24 字数 1955 浏览 3 评论 0原文

我的AWS lambda函数正在尝试写入DynamoDB。从客户端应用登录的用户调用AWS API-GATEWAY端点，该端点进一步调用AWS Lambda函数。这些用户是在AWS Cognito用户池中创建的。使用身份池（联合身份）完成登录。这意味着，首先使用用户名和密码登录ID_TOKEN，它与临时IAM凭据和会话令牌交换。用户处于关联允许写入DynamoDB表的角色的组中。

AWS lambda函数看起来像这样 -

def create_profile(event, context):
    profile = json.loads(event["body"])

    session = boto3.Session(region_name='eu-west-2')
    ddb_client = session.client('dynamodb')
    row_id = str(uuid.uuid4())
    item = {
        'RowID': {
            'S': row_id
        },
        'first_name': {
            'S': profile['first_name']
        },
        'last_name': {
            'S': profile['last_name']
        }
    }

    ddb_client.put_item(TableName='Persons', Item=item)

（这只是一个测试代码。所以没有验证等。请忽略该部分）

我会得到这个错误

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/<PREFIX>-CreateProfileFunctionRole-1VOW05TI1WR20/<PREFIX>-CreateProfileFunction-gqmkkzOP1Ro7 **is not authorized to perform:** dynamodb:PutItem on resource: arn:aws:dynamodb:eu-west-2:<ACCOUNT_ID>:table/Persons **because no identity-based policy allows** the dynamodb:PutItem action
    Traceback (most recent call last):
      File "/var/task/app.py", line 23, in create_profile
        ddb_client.put_item(TableName='Persons', Item=item)
      File "/var/runtime/botocore/client.py", line 391, in _api_call
        return self._make_api_call(operation_name, kwargs)
      File "/var/runtime/botocore/client.py", line 719, in _make_api_call
        raise error_class(parsed_response, operation_name)

，我的问题是，它为什么说“因为我没有基于身份的策略允许”，因为我有已经添加了管理员管理委员会的策略。我认为上面编写的Python代码并未在联合身份下运行，无法在更多的服务上进行进一步的操作。

我已经检查了Cognito组与IS相关联的角色“假定”，因为在JWT.IO中可以看到该角色在ID_Token中可以看到。

我的Python代码有问题吗？我需要做一些明确的事情以在假定的身份下运行它，以便对更多的AWS服务进行进一步的呼叫？

原文

My AWS Lambda function is trying to write to dynamodb.
Users who log in from client app call the AWS API-Gateway endpoint that further calls the AWS Lambda function.
These Users are created in AWS Cognito User pool. Login is done using Identity Pool (Federated Identity). Which means, first login using username and password gives Id_token which is exchanged with temporary IAM credentials and session token.
User is in a group that has associated a role that allows writing to dynamodb table.

AWS Lambda function looks like this -

def create_profile(event, context):
    profile = json.loads(event["body"])

    session = boto3.Session(region_name='eu-west-2')
    ddb_client = session.client('dynamodb')
    row_id = str(uuid.uuid4())
    item = {
        'RowID': {
            'S': row_id
        },
        'first_name': {
            'S': profile['first_name']
        },
        'last_name': {
            'S': profile['last_name']
        }
    }

    ddb_client.put_item(TableName='Persons', Item=item)

(This is just a test code. so no validations etc. and please ignore that part)

I get this error

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role/<PREFIX>-CreateProfileFunctionRole-1VOW05TI1WR20/<PREFIX>-CreateProfileFunction-gqmkkzOP1Ro7 **is not authorized to perform:** dynamodb:PutItem on resource: arn:aws:dynamodb:eu-west-2:<ACCOUNT_ID>:table/Persons **because no identity-based policy allows** the dynamodb:PutItem action
    Traceback (most recent call last):
      File "/var/task/app.py", line 23, in create_profile
        ddb_client.put_item(TableName='Persons', Item=item)
      File "/var/runtime/botocore/client.py", line 391, in _api_call
        return self._make_api_call(operation_name, kwargs)
      File "/var/runtime/botocore/client.py", line 719, in _make_api_call
        raise error_class(parsed_response, operation_name)

My question is, why does it say "because no identity-based policy allows" since I have added AdministratorAccess managed policy already.
I am thinking that the python code written above is not running under the federated identity to do further operations on more services.

I have checked that the role that the Cognito Group is associated with is "assumed" since the role can be seen in Id_token when seen in jwt.io.

Is there something wrong with my python code? Do I need to do something explicit to run it under the assumed identity to do further calls to more aws services?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

离笑几人歌 2025-02-12 09:25:24

我面临类似的问题。我通过将显式策略添加到角色＆gt; -createprofilefunctionRole-1Vow05Ti1wr20

中，通过将显式策略添加到该角色为我添加以下策略的添加以下策略，

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:eu-west-2:<ACCOUNT_ID>:table/Persons*"
        }
    ]
}

从而解决了问题。
希望它能为您提供帮助。

I faced a similar issue. I managed to fix this by adding the explicit policy to that the role <PREFIX>-CreateProfileFunctionRole-1VOW05TI1WR20

On the role add the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:eu-west-2:<ACCOUNT_ID>:table/Persons*"
        }
    ]
}

For me the problem was resolved.
Hope it helps for you.

回复收藏 0 原文

~没有更多了~