Migrating my @kevinhookebot Twitter bot to Mastodon, I made some updates to how the Lambda queries a source DynamoDB table for new messages to be posted and ran into this error:
"errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::account-id:assumed-role/lambda-kevinhookebot-role/kevinhooketwitterbot-v2-dev-sendTweet is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/tweetdate-createdate-index because no identity-based policy allows the dynamodb:Query action"
The IAM role I’m reusing does have dynamodb:Query, but only on these resources:
"Resource": [ "arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets", "arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/Index", "arn:aws:dynamodb:us-west-1:account-id:table/tweetbotreplies" ]
This only includes the table itself, the primary index called Index, and another table tweebotreplies.
Notice this part of the message:
is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-west-1:account-id:table/tweetbottweets/index/tweetdate-createdate-index
The issue is this role does not include Query on a new index I added, called tweetdate-createdate-index. To resolve this, add this index to the list of Resources, and problem resolved.