aws-samples / api-gateway-secure-pet-store

Amazon API Gateway sample using Amazon Cognito credentials through AWS Lambda
Apache License 2.0
307 stars 113 forks source link

"errorMessage": "null (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: #14

Open esumit opened 8 years ago

esumit commented 8 years ago

I followed as the documentation says, and on execution of the below method -

https://XXXXXXX.execute-api.us-east-1.amazonaws.com/devTest/users with following body { "action" :"com.amazonaws.apigatewaydemo.action.RegisterDemoAction", "body" : { "username":"test", "password":"test123" }

}

{ how ever it was not mentioned anywhere in the documentation that how to send the request }

And it gave following error -

{ "errorMessage": "null (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1TM4POAKDQ2KIEIUEPIOLTH0RNVV4KQNSO5AEMVJF66Q9ASUAAJG)", "errorType": "com.amazonaws.AmazonServiceException", "stackTrace": [ "com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1182)", "com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:770)", "com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:489)", "com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:310)", "com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(AmazonDynamoDBClient.java:1772)", "com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.getItem(AmazonDynamoDBClient.java:1141)", "com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:454)", "com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:532)", "com.amazonaws.services.dynamodbv2.datamodeling.DynamoDBMapper.load(DynamoDBMapper.java:398)", "com.amazonaws.apigatewaydemo.model.user.DDBUserDAO.getUserByName(DDBUserDAO.java:64)", "com.amazonaws.apigatewaydemo.action.RegisterDemoAction.handle(RegisterDemoAction.java:101)", "com.amazonaws.apigatewaydemo.RequestRouter.lambdaHandler(RequestRouter.java:98)", "sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)", "sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)", "sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)", "java.lang.reflect.Method.invoke(Method.java:497)" ] }

esumit commented 8 years ago

It was a Role issue with the Lambda Function Configuration, and that solved the problem.

justabuzz commented 8 years ago

Hi, I'm in the same situation. What wasn't right in your configuration? Thanks!

esumit commented 8 years ago

Based on the documentation, you would have followed to configure an IAM Role with following stuff (Amazon Cognito Identity,Amazon DynamoDB,AWS Lambda,Amazon CloudWatch Logs).

Say you would have given the name to this 'PetRole'.

On the configure section of Lambda Function (com.amazonaws.apigatewaydemo.RequestRouter::lambdaHandler.), you will see a section name , lambda function handler and role.

I configured 'PetRole' as role there, and then it worked.

Please let me know if that solves your issue too.

Note : I listened various AWS IAM, Lambda youtube videos, followed several articles, and did some other Lambda specific experiments, and based on that understanding I did the above,

justabuzz commented 8 years ago

Hi, thanks for the details! I tweaked and played with it and it does fix things - the role should allow the Lambda to access all resources relevant to this example (in fact everything in the custom role we created in one of the steps there - DynamoDB, Cognito, etc).

In a sense it makes sense - grant the relevant permissions to the Lambda. Also - it says so in the docs. But I was under the impression that the permissions were being passed from the API Gateway when it invokes the Lambda, so that the permissions of the user who calls the API are assumed by the Lambda and they determine what resources the Lambda is allowed to access.

I guess I understood this the wrong way.

Side note - the screenshot in the pet store instructions show role "basic_lambda_execution", which is a default role with minimal permissions. I guess this was a random screenshot they used and not one with real values..

Thanks again :)