40

I am trying to access DynamoDB from my Node app deployed on AWS ElasticBeanStalk. I am getting an error

User is not authorized to perform: dynamodb:PutItem on resource

It works perfectly fine locally, but when I deploy to the AWS it stops performing.

double-beep
  • 3,889
  • 12
  • 24
  • 35
Tirath Shah
  • 479
  • 2
  • 6
  • 7

3 Answers3

40

The dynamoDB access denied is generally a Policy issue. Check the IAM/Role policies that you are using. A quick check is to add 

AmazonDynamoDBFullAccess

policy in your role by going to "Permissions" tab in AWS console. If it works after that then it means you need to create a right access policy and attach it to your role.

Abhimanu Kumar
  • 1,491
  • 15
  • 20
  • 2
    Although `AmazonDynamoDBFullAccess` should work, it is better practice to grant permissions only for the functions that you expect to call, which in this case is `dynamodb:PutItem`. This can help avoid unintended calls and consequences. [Here](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/api-permissions-reference.html) is the full list of possible permission. – Dan Salo Oct 27 '17 at 20:04
  • 8
    @DanSalo Reading the poster's comment, I think he was saying to add FullAccess to see if that solved the problem. If it did, you then know it's a permissions problem and can then tune your permissions appropriately. – Thom Dec 19 '17 at 15:41
  • 3
    In my case needed role was `AWSLambdaInvocation-DynamoDB` – JJ Roman Mar 16 '18 at 21:30
1

Check the access key you are using to connect to DynamoDB in your Node app on AWS. This access key will belong to a user that does not have the necessary privileges in IAM. So, find the IAM user, create or update an appropriate policy and you should be good.

For Beanstalk you need to setup user policies when you publish. Check out the official docs here.

And check out the example from here too, courtesy of @Tirath Shah.

smcstewart
  • 1,541
  • 11
  • 16
  • The same access key works perfectly locally. I also created a similar user as local with similar privileges and even that did not work – Tirath Shah Jan 14 '16 at 21:02
  • Are you using dynamodb-local for local development? Have you hard-coded the keys into the app? Or do you get them from the environment? If they are not hard-coded, try them out explicitly hard-coded. See if you can verify that the key and secret are exactly as you expect. Do other ops work, such as GetItem etc? – smcstewart Jan 14 '16 at 21:20
  • Currently its hard-coded in the ~/.aws/credentials file.. I haven't tried getItem from the app.. But I tried it on the command line from the same machine and I was able to get all the items from the DB – Tirath Shah Jan 14 '16 at 22:30
  • Hard code it into your app and give it a bash. I have a gut feeling that the credentials aren't making it into your node app. – smcstewart Jan 14 '16 at 22:34
  • I do know that these credentials usually get pulled from ~/.aws/credentials.. I am not sure where to hard code that the app can pull the credentials – Tirath Shah Jan 14 '16 at 22:52
  • And which user are you running your node app under in Beanstalk? You will have set a role when you published to Beanstalk. This role needs to have the policy privileges for `PutItem` etc. – smcstewart Jan 14 '16 at 22:53
  • Have updated the answer with link to docs re: setting up permissions in Beanstalk. – smcstewart Jan 14 '16 at 23:01
  • Thanks! I have been playing around with the policy, but I'm not very sure how to attach the policy – Tirath Shah Jan 15 '16 at 09:14
  • Ugh it finally worked!! This link helped http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.roles.apps.html – Tirath Shah Jan 15 '16 at 09:38
  • You are welcome Tirath. I've updated my answer to include your example too so anyone with similar issues can get the answer quickly. – smcstewart Jan 15 '16 at 14:01
  • Hey, how you doing? By any chance, would you be able to answer this? http://stackoverflow.com/questions/35811483/dynamodb-updateitem-deep-within-an-object – Tirath Shah Mar 05 '16 at 08:05
  • Sorry Tirath, I've just got back from holidays. Did you get it resolved? – smcstewart Mar 07 '16 at 15:24
  • Yes, I figured it out. Thanks! – Tirath Shah Mar 14 '16 at 10:35
0

In my case (I try to write to a DynamoDB table through a SageMaker Notebook for experimental purposes), the complete error looks like this:

ClientError: An error occurred (AccessDeniedException) when calling the UpdateItem operation: User: arn:aws:sts::728047644461:assumed-role/SageMakerExecutionRole/SageMaker is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-west-1:728047644461:table/mytable

I needed to go to AWS Console -> IAM -> Roles -> SageMakerExecutionRole, and Attach these two Policies:

AmazonDynamoDBFullAccess
AWSLambdaInvocation-DynamoDB

In a real-world scenario though, I'd advise to follow the least-permissions philosophy, and apply a policy that allows put item method to go through, in order to avoid accidents (e.g. deleting a record from your table).

gsamaras
  • 66,800
  • 33
  • 152
  • 256