Debug permission issues and allow a lambda function to access data from a DynamoDB table
At the end of the last lesson we've managed to create a Lambda function which we want to use to get data from DynamoDB table using the scan operation.
Unfortunately, after calling the lambda function we get a following response:
"message": "User: arn:aws:sts::696785635119:assumed-role/TodoAppStack-TodoDatabaseTodoHandlerServiceRole991-152UNT6KUIOG2/TodoAppStack-TodoDatabaseTodoHandlerDD6198FE-CPTO6AAJJU5W is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:eu-central-1:696785635119:table/TodoAppStack-TodoDatabaseTodoTable29EA4913-E6Z09XSAAHF8",
In this quick lesson we're going to learn two things:
- how to debug permission issues in AWS using CloudWatch
- how to allow a lambda function to access data from a DynamoDB table with
grantReadWriteDatafunction (in a single line of code!)
Instructor: [0:00] Now that our to-the-handler is ready, let's go ahead and deploy it. Open up the terminal and run cdk deploy. After a successful deployment, we can see our endpoint over here. Let me copy that.
[0:09] I'm going to send a get request to it using the curl command. We can see that it didn't work. We are not getting the to-the-items. Instead, we're getting an AccessDeniedException with a Status Code of 400.
[0:20] With CDK, and honestly all of AWS, it is important to know where and how we can debug issues like that. To do that, let's take a look at our stack in CloudFormation console. Go back to AWS Console, go to Services, search for CloudFormation, and click over here. Next, click on the name of our stack.
[0:36] Afterwards, go to Resources and search for our Lambda function. We can see our function over here. Let's click on it. We are going to get redirected to AWS Lambda Console where we can see our to-the-handler JS file with get-all-todos function.
[0:48] Once we scroll down a bit, we can see in the environment variable section that our table name has been successfully set to the name of our table. Right now, let's go ahead and click on Monitoring to see why exactly this function is not working.
[1:00] Next, click on View logs and CloudWatch button. In the CloudWatch console, open up the newest log stream. After we expand one of those, we are going to be able to see that our to-the-handler is not authorized to perform a scan on a resource, which is our database.
[1:15] That happens because by default AWS resources are following something that is called a principle of least privilege. The idea is that they have the least amount of privilege possible in order to get the job done. By default, a Lambda function does not need the permission to perform a scan on a DynamoDB table. Luckily, with CDK we can configure that ourselves and in a single line of code.
[1:37] Let's go back to our todo backend construct. Here, we are going to do, todos-table.grant read write data. This function is going to give the to-the-handler the necessary permissions in order to be able to both read and write data to our DynamoDB table. Right now, we are only reading from the table, but this is going to change in the next lessons. I'm going to pass this.handler as the argument of this function.
[2:00] Now the issue has been fixed so let's open up the terminal and run cdk diff to see what exactly is going to change. This single line of code is going to do all of that. Our to-the-handler would be able to perform all of those actions on our DynamoDB table.
[2:15] The action that we are concerned the most right now is DynamoDB scan. Now we can deploy it. Run cdk deploy. Hit Yes. To see if the fix worked, we can go ahead and send another request to this endpoint and we are going to be able to see the list our to-the-items that we have stored in our database.
If the "todosTable.grantReadWriteData(this.handler)" gives you an error saying that "Function is incompatible with IGrantable", or something like that. Make sure your @aws-cdk dependencies are the same version! :)