Read AWS IAM permission errors carefully – they tell you everything you need to know (Twitter to Mastodon bot migration)

Migrating my @kevinhookebot Twitter bot to Mastodon, I made some updates to how the Lambda queries a source DynamoDB table for new messages to be posted and ran into this error:

"errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::account-id:assumed-role/lambda-kevinhookebot-role/kevinhooketwitterbot-v2-dev-sendTweet is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/tweetdate-createdate-index because no identity-based policy allows the dynamodb:Query action"

The IAM role I’m reusing does have dynamodb:Query, but only on these resources:

"Resource": [
  "arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets",
  "arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/Index",
  "arn:aws:dynamodb:us-west-1:account-id:table/tweetbotreplies"
]

This only includes the table itself, the primary index called Index, and another table tweebotreplies.

Notice this part of the message:

is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/tweetdate-createdate-index

The issue is this role does not include Query on a new index I added, called tweetdate-createdate-index. To resolve this, add this index to the list of Resources, and problem resolved.

Moving my Twitterbot @kevinhookebot to Mastodon @kevinhookebot@botsin.space

I mentioned a few days back that I’ve started to look at migrating some of my Twitter bot projects over to Mastodon, specifically to the botsin.space Mastondon server. Over the past few years I’ve deployed a number of bots that have been running continually for a number of years now without any updates. My motivation to move away from patronizing Twitter since the buyout is that it’s not a place I want to hang out anymore, but also I have some tech updates I need to take care of for these bots. A few of them I deployed 5 years ago and the AWS Lambda runtimes they were deployed with are now long past their support and have long been deprecated.

The main Lambda for @kevinhookebot was deployed originally in 2017 but updated at some point at least once in 2018:

The Lambda that watches for replies to a Tweet and replies automatically I don’t think has been updated since it was first deployed, and has been running on the Node6 runtime since 2017:

Both of these need to get redeployed with a later/supported runtime and also moved to using the Servlerless framework to help automate the deploys. It’s also odd that given that I share most of my hobby projects on Github, neither of these were committed to a repo anywhere, so first steps were to commit the original source to Github, and then starting making my updates.

First Steps

Before completely retiring the Twitter accounts, I’m going to update most of these to either cross-post to Twitter and Mastodon, or fork a Mastodon version and keep both running for a while, then eventually I’ll close the accounts on Twitter later.

For first steps, updating @kevinhookebot has to add integration with Mastondon’s apis to post a status update. I’ve got some learning to do with the apis and the authentication approach, but so far using the mastondon-api npm module, posting a status update is as simple as:

let Mastodon = require('mastodon-api');
let config = require('./config/config-mastodon.json');

exports.postMastodon = (item) => {

    const M = new Mastodon({
        access_token: config['access-token'],
        api_url: 'https://botsin.space/api/v1/',
    });

    M.post('statuses', {
        "status" : item.tweettext
    })
        .then((resp) => console.log(resp.data));

}

I still have to things to work out, like how to query replies to a Toot that I’ll need to support some of my other interactive bots, but so far so good.