Grant AWS Lambda Access to a Dynamodb Table
Borislav Hadzhiev
Last updated: Jul 24, 2022
Photo from Unsplash
Grant AWS Lambda Access to a Dynamodb Table #
In order to grant a Lambda function access to a Dynamodb table, we have to
attach an IAM policy to the function's execution role. The policy should grant
permissions for all the Actions the function needs to perform on the table.
For example, the following policy grants permissions for the most commonly used dynamodb actions on a specific table.
YOUR_* placeholders in the Resource element with the real values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:YOUR_REGION:YOUR_ACCOUNT_NUMBER:table/YOUR_TABLE" } ] }
The Resource element is simply the table's ARN. It should look something like:
arn:aws:dynamodb:us-east-1:123456789:table/my-table once the real values are
in place.
The actions your lambda function needs to perform on the table are use case dependent.
"dynamodb:*" for the Action element in the policy to grant full dynamodb access to the lambda function. However, it's a best practice to grant an entity the least permissions that get the job done.You can view a full list of the dynamodb Actions by visiting
the docs.
There is a Description column that explains what each action does.
To attach a policy to the lambda function's execution role, you have to:
- Open the AWS Lambda console and click on your function's name
- Click on the
Configurationtab and then clickPermissions
- Click on the function's role
- Click on
Add Permissions, thenCreate inline policy.
- In the
JSONeditor paste the following policy.
YOUR_* placeholders and adjust the Actions your lambda function needs to execute.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchWriteItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem" ], "Resource": "arn:aws:dynamodb:YOUR_REGION:YOUR_ACCOUNT_NUMBER:table/YOUR_TABLE" } ] }
- Click
Review Policyand give your policy a name, then clickCreate policy
At this point the lambda function's role has been extended with a policy that grants access to some Dynamodb actions on a specific table.
Invoke your lambda function and verify whether it has access to the dynamodb table.
If your function is still unable to access the dynamodb table, try to increase
the function's timeout by a second in the AWS console, or simply add an extra
print statement in the code and click the Deploy button.
If your lambda function still doesn't have access to the table, expand the IAM policy you added to the function's role and edit it to look like the policy below.
YOUR_* placeholders with real values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:*" ], "Resource": "arn:aws:dynamodb:YOUR_REGION:YOUR_ACCOUNT_NUMBER:table/YOUR_TABLE" } ] }
The IAM policy above grants full access to a dynamodb table. Your lambda function will be able to execute all dynamodb actions on the table.
* symbol is useful when debugging.After you've updated the policy, try to invoke your lambda function again. It should now have permissions to execute any action on the dynamodb table.
You can make the IAM policy less permissive after you verify which actions your lambda needs to run.
Deny effect will always override any Allow statements.Further Reading #
- How to Grant AWS Lambda Access to an S3 Bucket
- Grant AWS Lambda Access to SSM Parameter Store
- Grant AWS Lambda Access to Secrets Manager
- Grant AWS Lambda Access to an SNS Topic
- Grant AWS Lambda Access to an SQS Queue
- Grant a Lambda Function access to CloudWatch Logs
- AWS CDK Tutorial for Beginners - Step-by-Step Guide
- How to use Parameters in AWS CDK
