DAX: "Client does not have permission to invoke BatchGetItem" even though IAM roles are set to full access

Question

I have a some Dynamo DB tables, and a DAX cluster sitting above this to cache queries and results. It works great except for when I use BatchGetItem.

[ERROR] DaxServiceError: An error occurred (Unknown) when calling the BatchGetItem operation: Client does not have permission to invoke BatchGetItem

I have granted both Lambda and the Cluster an IAM role with a wildcard, ie:

dynamodb:*

dax:*

Previously I tried setting these to the specific permission:

dax:BatchGetItem

But neither make a difference.

Googling returns ZERO results for "Client does not have permission to invoke BatchGetItem"

https://www.google.com/search?q=%22Client+does+not+have+permission+to+invoke+BatchGetItem%22&rlz=1C1YTUH_en-GBGB1008GB1008&oq=%22Client+does+not+have+permission+to+invoke+BatchGetItem%22&aqs=chrome..69i57.2944j0j7&sourceid=chrome&ie=UTF-8

In general there seems to be very little around about DAX. I haven't seen anything yet to imply this feature is not supported by AWS. In fact - if there is a permission for it, then it must be implemented in some capacity.

I'm quite stumped and would be every grateful to anyone who has any ideas.

[EDIT] Here is the IAM definition:

DynamoDAXCacheClusterIamRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Statement:
            - Action:
              - sts:AssumeRole
              Effect: Allow
              Principal:
                Service:
                - dax.amazonaws.com
          Version: '2012-10-17'
        RoleName: ${file(env.yml):${opt:stage}.DAX_CLUSTER_ROLE}
        Policies:
          -
            PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dax
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - 'dax:*'

          -
            PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dynamo
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Resource: '*'
                  Action:
                    - 'dynamodb:*'
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

I know it's probably too open but this is just whilst I work out the issue

[EDIT2] Here is the policy that the Lambda's have:

    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - dynamodb:BatchGetItem
      Resource: "arn:aws:dynamodb:us-east-1:*:*"
    - Effect: Allow
      Action:
        - sqs:SendMessage
        - sqs:PurgeQueue
        - sqs:ListQueues     
      Resource: "arn:aws:sqs:us-east-1:*:*"
    - Effect: "Allow"
      Action:
        - "execute-api:Invoke"
      Resource: ["arn:aws:execute-api:*:*:**/@connections/*"]
    - Effect: "Allow"
      Resource: "arn:aws:sns:us-east-1:*:*"
      Action:
        - "sns:*"
    - Effect: Allow
      Resource: "arn:aws:ses:us-east-1:*:*/*"
      Action:
        - SES:SendEmail
        - SES:SendRawEmail
        - SES:SendTemplatedEmail
        - SES:SendBulkTemplatedEmail
        - SES:UpdateEmailTemplate
        - SES:UpdateTemplate
    - Effect: Allow
      Resource: "arn:aws:dax:us-east-1:*:*/*"
      Action:
        - 'dax:*'

Answer 1

I am a complete duff.

There was two stacks sharing the same DAX and one was missing the permission