https://serverless-stack.com/ logo
Join Slack
Powered by
:wave: , Im trying to build a api out with SST, th...
# help
p
👋 , Im trying to build a api out with SST, the endpoint does a PUT on dynamodb, it works locally, when i deploy and call the production endpoint from postman, I get the following error
Copy code
AccessDeniedException: User: arn:aws:sts::784381721788:assumed-role/prod-hulacorn-api-ApiLambdaPUTvotesidServiceRoleA3-GZY178NMJ59Y/prod-hulacorn-api-ApiLambdaPUTvotesid95CB421A-bePQRQW1c2iD is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-1:784381721788:table/Podge-hulacorn-Problems
Im not using any authentication setup(cognito) I'm using as per the guide
Copy code
this.api.attachPermissions([table]);
anyone got any ideas what might cause this discrepancy?
o
You probably need to give your lambda the permissions to write to dynamo. it works locally probably because your local AWS user has those permissions
Copy code
new Function(this, 'myFunc', {
      handler: `blah.handler`,
      permissions: [dynamodbTable, 'grantReadWriteData'],
    });
d
o
Oh interesting, I always assign to the function (least privilege etc)
d
I agree, but hes following a guide by the sounds of it
o
Maybe that that permission only gets applied to function created inline by the Api definition? But not one where the definition is outside?
d
I dunno, try this @Padraig : 
this.api.attachPermissions([table, "grantReadWriteData"]);
f
@Padraig which version of SST r u using? If you can share your 
package.josn
.
p
I found my issue and sorta resolved it The policy attached to the lambda had this for dynamodb permissions
I manually deleted the policy and created a new one with the correct table name
still figuring out how to fix this using SST
d
that second to last dynamoDB permission should cover 
UpdateItem
 tableName, nevermind
o
Can you post your stack code
p
code for APIStack
Copy code
import * as sst from "@serverless-stack/resources";
import { CorsHttpMethod } from "@aws-cdk/aws-apigatewayv2"; 

export default class ApiStack extends sst.Stack {
  // Public reference to the API
  api;

  constructor(scope, id, props) {
    super(scope, id, props);

   const { table } = props;

    // Create the API
    this.api = new sst.Api(this, "Api", {
      customDomain: scope.stage === "prod" ? "<http://api.votes.hulacorn.com|api.votes.hulacorn.com>" : undefined,
      defaultAuthorizationType: sst.ApiAuthorizationType.NONE,
      defaultFunctionProps: {
        environment: {
          TABLE_NAME: table.tableName,
        },
      },
      cors: {
        allowHeaders: ['*'],
        allowOrigins: ['*'],
        allowMethods: [CorsHttpMethod.PUT,CorsHttpMethod.GET,<http://CorsHttpMethod.POST|CorsHttpMethod.POST>, CorsHttpMethod.PATCH, CorsHttpMethod.DELETE, CorsHttpMethod.OPTIONS],
      },
      routes: {
        "PUT    /votes/{id}": "src/vote.update",
      },
    });
    
    this.api.attachPermissions([table]);

    // Show the API endpoint in the output
    this.addOutputs({
      ApiEndpoint: this.api.customDomainUrl || this.api.url,
    });
}
}
code for index
Copy code
import ApiStack from "./ApiStack";
import FrontendStack from "./FrontendStack";
import StorageStack from "./StorageStack";


export default function main(app) {
  
  // Set default runtime for all functions
  const storageStack = new StorageStack(app, "storage");

  app.setDefaultFunctionProps({
    runtime: "nodejs12.x"
  });

  // n//ew MyStack(app, "my-stack");

  const apiStack = new ApiStack(app, "api", {
    table: storageStack.table,
  });
  // Add more stacks
  new FrontendStack(app, "frontend", {
    bucket: storageStack.bucket,
    api: apiStack.api,
  });
@Frank
Copy code
{
  "name": "hulacorn",
  "version": "0.1.0",
  "private": true,
  "scripts": {
    "test": "sst test",
    "start": "sst start",
    "build": "sst build",
    "deploy": "sst deploy",
    "remove": "sst remove"
  },
  "eslintConfig": {
    "extends": [
      "serverless-stack"
    ]
  },
  "devDependencies": {
    "@aws-cdk/assert": "1.138.0"
  },
  "dependencies": {
    "@aws-cdk/core": "1.138.0",
    "@serverless-stack/cli": "0.57.2",
    "@serverless-stack/resources": "0.57.2",
    "aws-amplify": "^4.3.12",
    "winston": "^3.4.0",
    "winston-cloudwatch": "^3.1.1"
  }
}
@Derek Kershner thanks for the tip but it did not work 😞
f
@Padraig can you run 
sst build
and share the template.json file inside 
.build/cdk.out
?
p
one moment
is that the file you were looking for @Frank
?
d
looks right, @Padraig, and I dont see anything wrong myself
f
Yeah, looks right. If 
sst start
works, it should work for 
sst deploy
b/c they use the same IAM role.
as a sanity check, can you go into ur CloudFormation console > select the 
Podge-hulacorn-storage
stack > look up 
ExportsOutputFnGetAttProblemsTableE6664882Arn5B6AF7A2
under the Outputs tab.
p
will do, I have been destroying and building stack all evening after upgrading to the latest versions of packages
just kicked off one
still the same behaviour
j
@Padraig just circling back here. Are you still running into this issue?
p
Hey jay
Thanks for coming back to me
I moved on by creating a new project
No issues with the new project
j
Oh interesting. Let us know if you run into it again.
p
Will do
gonna be deploying my first app with SST in the next week, I will be writing about my experience
maybe I could talk to someone about getting it on your newsletter
?
j
Yup, just message me about it and I’ll put it in your newsletter. The next one will go out in March but I’ll tweet it out before that.
7 Views
Open in Slack
PreviousNext
Powered by