Michael Robellard
01/14/2022, 12:37 AMconsumers: {
dynamodbstream: {
srcPath: "services/dynamodbstream/",
handler: "stream.handler",
environment: {
SEARCH_ENDPOINT: opensearch_domain.domainEndpoint,
},
permissions: [new iam.PolicyStatement({
actions: ["es:*"],
resources: [opensearch_domain.domainArn],
})]
}
}
And I can confirm in the AWS Console that the Permissions are set for the Lambda Role
Is there something else that needs permission because of the Local Environment?
After some further attempts, I have discovered that if I change the METHOD from post to put I get a different error message. I am not sure why post is causing the error message in question, but now I am getting:
User: arnawssts:309833148800assumed-role/mike-local-chartflow-dyna-ChartflowDatadynamodbstr-P6L43N5FZMK/mike-local-chartflow-dyna-ChartflowDatadynamodbstr-dpL0R4lmGyGK is not authorized to perform: es:ESHttpPut
Getting closer, but any help would be appreciated.
Changing the resources to : ["*"], allowed it to work, but clearly not a best practice. Any ideas would be appreciated.Derek Kershner
01/14/2022, 5:08 PMDerek Kershner
01/14/2022, 5:09 PMFrank
Frank
Michael Robellard
01/16/2022, 10:04 PMMichael Robellard
01/16/2022, 10:04 PMUncharted
01/23/2022, 12:29 PMtable.addConsumers(this, {
Consumer_0: {
function: insertToESFn,
consumerProps: {
startingPosition: StartingPosition.LATEST,
},
permissions: [
new iam.PolicyStatement({
actions: ['dynamodb:*'],
effect: iam.Effect.ALLOW,
resources: ['*'],
}),
new iam.PolicyStatement({
actions: ['es:*'],
effect: iam.Effect.ALLOW,
resources: ['*'],
}),
],
},
});
const domain = new opensearch.Domain(this, 'Domain', {
version: opensearch.EngineVersion.OPENSEARCH_1_0,
domainName: `mydomain`,
capacity: {
dataNodes: 1,
dataNodeInstanceType: 't3.small.search',
},
ebs: {
volumeSize: 10,
},
useUnsignedBasicAuth: true,
fineGrainedAccessControl: {
masterUserName: 'xxxx',
masterUserPassword: new SecretValue('xxxxxxxxxxxxxxxxx'),
},
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
could you share how you create your opensearch and give permission to your lambda with cdk / sst ?