I have a some Dynamo DB tables, and a DAX cluster sitting above this to cache queries and results. It works great except for when I use BatchGetItem.
[ERROR] DaxServiceError: An error occurred (Unknown) when calling the BatchGetItem operation: Client does not have permission to invoke BatchGetItem
I have granted both Lambda and the Cluster an IAM role with a wildcard, ie:
dynamodb:*
dax:*
Previously I tried setting these to the specific permission:
dax:BatchGetItem
But neither make a difference.
Googling returns ZERO results for "Client does not have permission to invoke BatchGetItem"
In general there seems to be very little around about DAX. I haven't seen anything yet to imply this feature is not supported by AWS. In fact - if there is a permission for it, then it must be implemented in some capacity.
I'm quite stumped and would be every grateful to anyone who has any ideas.
[EDIT] Here is the IAM definition:
DynamoDAXCacheClusterIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- dax.amazonaws.com
Version: '2012-10-17'
RoleName: ${file(env.yml):${opt:stage}.DAX_CLUSTER_ROLE}
Policies:
-
PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dax
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- 'dax:*'
-
PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dynamo
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- 'dynamodb:*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
I know it's probably too open but this is just whilst I work out the issue
[EDIT2] Here is the policy that the Lambda's have:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- dynamodb:BatchGetItem
Resource: "arn:aws:dynamodb:us-east-1:*:*"
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:PurgeQueue
- sqs:ListQueues
Resource: "arn:aws:sqs:us-east-1:*:*"
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource: ["arn:aws:execute-api:*:*:**/@connections/*"]
- Effect: "Allow"
Resource: "arn:aws:sns:us-east-1:*:*"
Action:
- "sns:*"
- Effect: Allow
Resource: "arn:aws:ses:us-east-1:*:*/*"
Action:
- SES:SendEmail
- SES:SendRawEmail
- SES:SendTemplatedEmail
- SES:SendBulkTemplatedEmail
- SES:UpdateEmailTemplate
- SES:UpdateTemplate
- Effect: Allow
Resource: "arn:aws:dax:us-east-1:*:*/*"
Action:
- 'dax:*'
I am a complete duff.
There was two stacks sharing the same DAX and one was missing the permission