amazon-web-services - 客户端错误: An error occurred (AccessDeniedException)

Question

当我尝试将 put_item() 放入 DynamoDB 时，AWS Lambda 函数中出现此错误。

c_table.put_item(Item={"id": result['conn_id'], "username": payload.get("username"), "created": datetime.utcnow().isoformat() })

WSConnectionTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: my_table_name
    AttributeDefinitions:
      - AttributeName: id
        AttributeType: S
    KeySchema:
      - AttributeName: id
        KeyType: HASH
    BillingMode: PAY_PER_REQUEST
    StreamSpecification:
      StreamViewType: NEW_AND_OLD_IMAGES

ConnectFunction:
  Type: AWS::Serverless::Function
  Properties:
    FunctionName: !Sub ${AWS::StackName}-ConnectFunction
    Description: !Sub
      - Stack ${StackTagName} Environment ${EnvironmentTagName} Function ${ResourceName}
      - ResourceName: ConnectFunction
    CodeUri: sources
    Handler: handlers.connection
    Runtime: python3.7
    MemorySize: 3008
    Timeout: 30
    Tracing: Active
    Policies:
      - AWSXRayDaemonWriteAccess
      - DynamoDBCrudPolicy:
          TableName: !Ref WSConnectionTable
    Environment:
      Variables:
        TABLE_NAME: !Ref WSConnectionTable
        TABLE_ARN: !GetAtt WSConnectionTable.Arn

一切正常，希望在 WS 连接之后，我想将连接 ID 保存到数据库，并且对 put_item() 的调用失败并出现以下错误:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::74xxxxxxx:assumed-role/websocket-dev-ConnectFunctionRole-1PCCYG1DTLQYW/websocket-dev-ConnectFunction is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:74xxxxxxx:table/my_table_name_dev

如果有任何有关如何解决此问题的线索，我将不胜感激

Answer 1

您的 DdB 表名为 my_table_name:

WSConnectionTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: my_table_name

并且您的策略仅允许访问此表:

      - DynamoDBCrudPolicy:
          TableName: !Ref WSConnectionTable

但是，错误消息表明您正在尝试访问不同的表(称为 my_table_name_dev)，并且访问被拒绝