简体繁体 English

调用Scan操作时如何解决（AccessDeniedException）：User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."？

[英]How to solve (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."?

原文 2019-04-03 14:18:12 7 2 python/ amazon-web-services/ amazon-dynamodb/ amazon-iam

I am trying to deploy an Instagram-like application to AWS using Elastic Beanstalk and Flask. After using eb deploy command, I am able to access the application main page, which does not requires access to DynamoDB tables.我正在尝试使用 Elastic Beanstalk 和 Flask 将类似 Instagram 的应用程序部署到 AWS。使用eb deploy命令后，我能够访问应用程序主页，不需要访问 DynamoDB 表。 When I try to login, the application should access a DynamoDB table to retrieve data, such as number of likes in pictures, however it shows an当我尝试登录时，应用程序应该访问 DynamoDB 表来检索数据，例如图片中的点赞数，但是它显示了

500 Internal Server Error 500内部服务器错误

And my eb logs returns this error.我的eb 日志返回此错误。

ClientError: An error occurred (AccessDeniedException) when calling the >Scan operation: User: arn:aws:sts::013051511429:assumed-role/aws->elasticbeanstalk-ec2-role/i-049593eb550052c8f is not authorized to >perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east->1:013051511429:table/cloudgram ClientError：调用 >Scan 操作时发生错误（AccessDeniedException）：用户：arn:aws:sts::013051511429:assumed-role/aws->elasticbeanstalk-ec2-role/i-049593eb550052c8f 无权 >perform: dynamodb ：扫描资源：arn:aws:dynamodb:us-east->1:013051511429:table/cloudgram

I think this is happening because of an IAM misconfiguration, it says that the user corresponding to my EC2 Instance (i-04959..) is not authorized to perfom a Scan on my DynamoDB table.我认为发生这种情况是因为IAM配置错误，它表示对应于我的 EC2 实例 (i-04959..) 的用户无权在我的 DynamoDB 表上执行扫描。

I have tried following this: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html我尝试过以下操作： https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html

These are the policies I have attached to my aws-elasticbeanstalk-ec2-role:这些是我附加到我的 aws-elasticbeanstalk-ec2-role 的策略：

AmazonRDSFullAccess AmazonRDSFullAccess
AmazonS3FullAccess AmazonS3 完全访问
AWSLambdaDynamoDBExecutionRole AWSLambdaDynamoDBExecutionRole
AWSElasticBeanstalkWebTier AWSElasticBeanstalkWebTier
AWSElasticBeanstalkMulticontainerDocker AWSElasticBeanstalk 多容器 Docker
AWSElasticBeanstalkWorkerTier AWSElasticBeanstalkWorkerTier

I'm using: Python 2.7 Flask 1.0.2我正在使用：Python 2.7 Flask 1.0.2

2 个解决方案

The policy you have supplied, AWSLambdaDynamoDBExecutionRole , is for DynamoDB streams. 您提供的策略AWSLambdaDynamoDBExecutionRole是针对DynamoDB流的。 It doesn't allow access to tables. 它不允许访问表。

One way to solve this is to add the AmazonDynamoDBFullAccess policy though a better way would be to create an IAM Policy that permits only those actions required and only those resources (the DynamoDB tables) that you need. 解决此问题的一种方法是添加AmazonDynamoDBFullAccess策略，尽管更好的方法是创建一个IAM策略，该策略仅允许所需的那些操作和仅所需的那些资源（DynamoDB表）。 Here is an example of doing that. 这是一个这样做的例子。

I had the same issue with an extended cause.我有一个扩展的原因同样的问题。 For people having the same, I want to mention my solution .对于有相同情况的人，我想提一下我的解决方案。

It was because of permission boundaries.这是因为权限边界。

我有同样的问题：elasticbeanstalk-ec2-role 无法在 dynamodb 上执行扫描，我向角色添加了完整访问策略，甚至运行了策略模拟器并进行了检查，但是我的应用程序仍然存在相同的问题