13

I am getting this error when i am trying to trigger

There was an error creating the trigger: Cannot access stream arn:aws:dynamodb:us-east-2:xxxxxx:table/xxxx/stream/2017-09-18T07:47:01.834. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.

Please help me,

Improve this question

5 Answers 5

Reset to default
22

When attaching a trigger to a DynamoDb table, you will get the error as posted by OP

You need to add a policy to the IAM role generated for that lambda function.

Here is sample JSON you can use to create the policy, just replace the lambda function and stream ARNs.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:accountnumber:function:functionname"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:region:accountnumber:table/table-name/stream/2019-02-27T07:41:49.893"
        }
    ]
}

Once you create the policy and attach it to the role, you can then go back to DynamoDB and create a new trigger with the lambda function. If done correctly, it will create without errors.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Can you take a look here please? stackoverflow.com/questions/70016674/…
If you're using SAM template. You can one line this with: DynamoDBStreamReadPolicy
3

As per error message, your IAM settings are not correct. You need to assign these kinds of Roles to your user.

You will have to create a policy that allows your AWS functions to access Cloudwatch logs as well as the table you just created. Go to the IAM console, select 'Roles' and then 'Create new role'.

enter image description here

Select the 'AWS Lambda' role: enter image description here

And then click 'Next step' to skip the 'Attach Policy' section

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html will help you to tackle with this error. enter image description here Also, I tried to follow information from: https://github.com/dwyl/learn-aws-lambda#what-is-lambda for accessing dynamodb and it's working fine with root(main) user.

Improve this answer

Comments

2

Seems like you only need to create this role with policy AWSLambdaDynamoDBExecutionRole and attach to your lambda. You probably don't want full access as this is a read action. enter image description here

Improve this answer

Comments

0

When you create a lambda function, Lambda create a role by default for the lambda function created, but that role isn't enough to give permissions to Dynamo to invoke lambda functions. So in role seccion seek your lambda function and attach the AWSLambdaInvocation-DynamoDB policy.

Improve this answer

Comments

0

Attach AWSLambdaKinesisExecutionRole policy to the lambda function. This policy is pre defined by AWS. You can just use that in your lambda SAM template.

Improve this answer

1 Comment

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.