amplify-hosting
amplify-hosting copied to clipboard
aws-amplify
Amplify SSR Lambda@Edge dynamodb permissions
Please describe which feature you have a question about? SSR (next.js) with Amplify and Dynamodb
Provide additional details
I am deploying a Next.js app to Amplify with the amplify-cli. I've connected my amplify app to a couple of existing DynamoDB tables. I've managed to modify the attached amplify app's Service role adding in the AmazonDynamoDBFullAccess permission policy (I'll restrict it down later). This seems to work with no complains on direct hits to backend routes that use the dynamodb.
However, the deployed SSR lambdas are still getting permission errors coming up in the logs for the "SSR Lambda@Edge".
arn:aws:sts::999999999:assumed-role/rgsuvm9-psuzoeg/us-east-1.ggvvff-abc123 is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:eu-west-2:6666666666:table/MyTable
I noticed these roles that have been automatically created with generated names for AWS Service: lambda trusted entitees that have policies attached for allowing access to logs and S3 only.
Here is an example of one of the attached permission policies for these generated roles (this is before I have manually edited it to add dynamodb access permission):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": "arn:aws:s3:::z0kq2lk-i0l0usx/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
]
}
]
}
Manually selecting one of these and adding dynamodb read/write permissions fixes the problem and the SSR edge lambda seems to have the correct permissions to connect to the dynamodb - great, but this isn't a nice way to do it
My question is: How to change the permissions of the SSR Lambda? It's not a feasible or a good solution for me to manually add these permissions to this role that's clearly generated.
It seems odd to me that it doesn't use the service role that's assigned in the amplify app's general settings. Could that be a problem with amplify - or have I misconfigured the service role? (my service role used uses the AdministratorAccess-Amplify and AmazonDynamoDBFullAccess policies so to my mind there's no point pasting these in).
Kind Thanks in Advance, Colin
I have a similiar issue, where I want to read data from DynamoDB during server side rendering or incremental static side generation (within get[ServerSide/Static]Props() running at lambda@edge). For now I created an user, associated to the role/policy for read only access to the corresponding dynamodb table, and use the credentials for api access hardcoded into my get[ServerSide/Static]Props() methods to authorize and fetch the data (worst case possible). Ideally, I would either apply a role to the lambda function, or get the credentials via environment variables. In the latter case, there is the same question of how to set up env vars for the lambda function automatically on each rebuild (same with the role).
@colin-riddell l as far as i understand it, the service role only enables amplify to deploy the necessary resources. So it would allow amplify to deploy the lambda functions, but would not manage/be the policies of that lambda function after it is deployed. I think the same goes for the build process, where you might want to fetch data from other aws resources.
I read somewhere (but I can't find it anymore), that if you configure your next.js project as a amplify via with the amplify CLI (which is not necessary to use amplify hosting), you can set up env vars and roles which at least would apply during the build process. Maybe there is a way to set roles for lambda like this as well.
