我正在尝试使用新的 DynamoDB BatchResolvers 写入 AppSync 解析器中的两个 DynamoDB 表(当前使用 Lambda 函数来执行此操作)。但是,在查看 CloudWatch 日志时,我收到以下权限错误:
“User: arn:aws:sts::111111111111:assumed-role/appsync-datasource-ddb-xxxxxx-TABLE-ONE/APPSYNC_ASSUME_ROLE is not authorized to perform: dynamodb:BatchWriteItem on resource: arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
我在用着TABLE-ONE
作为我的解析器中的数据源。
我添加了"dynamodb:BatchWriteItem"
and "dynamodb:BatchGetItem"
to TABLE-ONE
的许可:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-ONE",
"arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-ONE/*",
"arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO",
"arn:aws:dynamodb:us-east-1:111111111111:table/TABLE-TWO/*"
]
}
]
}
I have another resolver that uses the BatchGetItem
operation and was getting null values in my response - changing the table’s policy access level fixed the null values:
但是,选中该框BatchWriteItem
将权限添加到数据源表的策略似乎并不能解决问题。
我还在 AppSync 中测试了我的解析器测试功能,评估的请求和响应按预期工作。
我还可以在哪里设置两个表之间的 BatchWriteItem 操作的权限?看起来它正在调用用户的assumed-role
而不是表的角色 - 我可以“强制”它使用表的角色吗?