1

I'm having a problem accessing a new DynamoDB table via a successfully authenticated Cognito user.

I get the following AccessDeniedException when attempting a scan of the table (using the AWS JavaScript SDK):

Unable to scan. Error: { "message": "User: arn:aws:sts::MY-ACCOUNT-NUM:assumed-role/Cognito_VODStreamTestAuth_Role/CognitoIdentityCredentials is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1:MY-ACCOUNT-NUM:table/VideoCatalog", "code": "AccessDeniedException", "time": "2019-01-27T02:25:27.686Z", "requestId": "blahblah", "statusCode": 400, "retryable": false, "retryDelay": 18.559011800834146 }

The authenticated Cognito user policy has been extended with the following DynamoDB section:

{ "Sid": "AllowedCatalogActions", "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-east-2:MY-ACCOUNT-NUM:table/VideoCatalog" ] }

Shouldn't this be sufficient to give my authenticated Cognito users access to any DynamoDB table I might create, as long as I specify the table resource as I do above? Or do I also need to add "Fine-grained access control" under the table's 'Access control' tab?

I can say that I created the VideoCatalog DynamoDB table under my non-root Administrator IAM role (represented above by MY-ACCOUNT-NUM). Is that a problem? (Prior to trying to move to a DynamoDB table I was using a JSON file on S3 as the video catalog.)

IAM confused!

Improve this question

1 Answer 1

Reset to default
1

Looking at the error message from AWS and the policy document that you provided, I can see that there are two different regions here.

AWS is saying that your user does not have access to aws:dynamodb:us-east-1:MY-ACCOUNT-NUM:table/VideoCatalog, whereas your policy document is providing access to aws:dynamodb:us-east-2:MY-ACCOUNT-NUM:table/VideoCatalog.

Are you perhaps provisioning your resources in two different regions by mistake?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Not by mistake, per se... but thanks for noticing that! That table is definitely in the us-east-2 region whereas the Cognito user pool is in us-east-1. Seeing as I'm not specifying the region when I attempt to progammatically (using the AWS JavaScript SDK) scan VideoCatalog table, it must be assuming it's in the same region. There is no reason why I can't put the DynamoDB table in the same region as my Cognito User Pool.. so I will do that and report back!
You are precisely right. It's so easy to miss the us-east-1 vs. -2 but now I know to think region problems first! Thanks!!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.