Deploy the APIs - Access Denied Error


#1

Hi,

I’ve gotten to this step and I’m trying to figure out where my IAM has gone south.

To recap:

  • I can locally execute all the API calls with no problems
  • They deploy fine to /dev

But when I run npx I get:

Authenticating with User Pool
Getting temporary credentials
Making API request
{ status: 500,
  statusText: 'Internal Server Error',
  data: { status: false } }
  • I verified that the account created in the User Pool has access
  • In Cloudwatch logs I see

AccessDeniedException: User: arn:aws:sts::[trimmed user id]:assumed-role/notes-app-api-dev-us-west-2-lambdaRole/notes-app-api-dev-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-west-2:[trimmed user id]:table/notes

I have a hunch it is a role issue but I believe the authenticated role noted in the Federated Identity Pool has the correct permissions per the article.

Am I missing something obvious?

Thanks
Chris


#2

Self - solved… the serverless.yml was malformed (the iamRoleStatements block was not indented enough and was ignored by the deploy statement)… wish it complained about that!


#3

Yeah sadly it doesn’t do that. We try to add little pointers in the various spots in the tutorial to help people catch it but it can be tricky.


#4

Thanks for the reply, yeah, I felt silly when I finally figured it out!