2

I have created a new IAM role, which has access (scan/Query) to specific DynamoDb tables.

I am trying to use STS Assume Role API call from my lambda function, so that the lambda function gets access to the specific Dynamo Db tables.

The Assume Role call was successful, I got the role ID, AccesskeyId, Secret Access Key and Session Token.

When I make a call from my lambda function, to access the Dynamo DB, I am getting an error

AccessDeniedException: User: arn:aws:sts::>:assumed-role/ota-dev-us-east-1-lambdaRole/ is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1:>:table/<>

My question is, even after the Role Assume call was successful in the Lambda function, why the lambda function was still using the older role to access the Dynamo DB?

I was expecting the Lambda function to assume the new role, but from the logs it looks like, it is using still the older role.

Looks like I am missing some steps in between.

Dattatray
  • 1,745
  • 1
  • 21
  • 49

1 Answers1

2

The STS AssumeRole call, depending how you trigger it, does not automatically refresh credentials in the AWS.config global object of the SDK.

You need to retrieve the access key, session key and session token returned by AssumeRole and pass it to your global AWS credentials SDK object.

The exact code will depend on the programming language you are using, here is the doc for Python's Boto3

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html

On a side note, I wonder why you do not give permanent access to your DynamoDB table in the Lambda execution role. Is this to limit the function reach and give fine grained access control at runtime, based on caller's identity ?

Sébastien Stormacq
  • 14,301
  • 5
  • 41
  • 64
  • Thanks @Sébastien Stormacqm Yes, I got your point. I will need to retrieve the access key, session key and session token returned by AssumeRole. Are there any examples for Go language SDK? About the access to DynamoDb tables, I want to give a fine grained access to DynamoDB tables based on the callers's identity. – Dattatray Mar 07 '19 at 13:32
  • 1
    This is the code snippet I have written in Go and it worked. roleArn := "arn:aws:iam::AccountID:role/RoleName" sess := session.Must(session.NewSession()) creds := stscreds.NewCredentials(sess, roleArn) dbSession := dynamodb.New(sess, &aws.Config{Credentials: creds}) – Dattatray Mar 08 '19 at 04:50
  • I found next links useful and such which еcomplement each other https://stackoverflow.com/a/57456841/9783262 (for Python) https://stackoverflow.com/a/48530115/9783262 (for JavaScript). I was getting the similar error due to: I didn't pass region_name= into AWS.config.update({...}) and(or) didn't use AWS.config.region = ; – SAndriy Dec 27 '19 at 20:43