AmazonServiceException: User is not authorized to perform: dynamodb:DescribeTable Status Code: 400; Error Code: AccessDeniedException
Worked with an Amazon engineer and it turns out the problem was in the policy configuration:
"dynamodb: *"
should be
"dynamodb:*"
It's amazing what a space can do.
Comments
-
Kurt Wagner almost 4 years
I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here:
AmazonServiceException: User: arn:aws:sts::[My Account ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: BBFTS0Q8UHTMG120IORC2KSASVVV4KQNSO5AEMVJF66Q9ASUAAJG)
Everything is more or less the same, the only things I've changed have been changing the
DBclient
region toUS_EAST_1
, where my test table is hosted and modifying the Constants file using the info from the 'Amazon Cognito Starter Code' page that is generated through following the Cognito get started documentation.For my
Cognito_AndroidAppUnauth_DefaultRole
role policy I modified the default mobile analytics and sync service permission to also include access of all actions on all tables, existing or not:{ "Version": "2012-10-17", "Statement": [ { "Sid": "CognitoPolicy", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Sid": "DynamoDBPolicy", "Effect": "Allow", "Action": [ "dynamodb: *" ], "Resource": "*" } ] }
So why is it claiming that it doesn't have permission when the correct region is used and the Unauth policy should allow for table access?
EDIT: Stacktrace when calling a method on the DynamoDB resource (create table), should it prove useful
com.amazonaws.AmazonServiceException: User: arn:aws:sts::[My Account ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: SDELNSMLO10EV7CM2STC1R9RU3VV4KQNSO5AEMVJF66Q9ASUAAJG) at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(Unknown Source) at com.amazonaws.http.AmazonHttpClient.executeHelper(Unknown Source) at com.amazonaws.http.AmazonHttpClient.execute(Unknown Source) at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(Unknown Source) at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.createTable(Unknown Source) at com.amazonaws.demo.userpreferencesom.DynamoDBManager.createTable(DynamoDBManager.java:72) at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:99) at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:85) at android.os.AsyncTask$2.call(AsyncTask.java:288) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587) at java.lang.Thread.run(Thread.java:841)
-
Steffen Opel almost 10 yearsCool, was just about to post that - great that AWS support is highly available too :)
-
Kurt Wagner almost 10 yearsYeah, GitHub issues are much better than the AWS forums, at least for working with sample resources provided by Amazon. They probably wouldn't help if it was some other crazy code of your own design since it wouldn't be relevant to the sample projects. XP
-
Anas Azeem over 9 years@KurtWagner: Where is policy configuration located?
-
Kurt Wagner over 9 years@AnasAzeem Should be in the IAM console. docs.aws.amazon.com/IAM/latest/UserGuide/ManagingPolicies.html