AccessDenied when testing API

Chapter Comments
1

I’m having this AccessDenied issue related to trying to test the API.

I have followed all of the steps to debug this and as far as I can tell there is no issues with my YAML file and have followed all the other steps of the tutorial with no other issues

Here is the YAML file I have now

# NOTE: update this with your service name
service: notes-app-api

# Use the serverless-webpack plugin to transpile ES6
plugins:
  - serverless-webpack
  - serverless-offline

# serverless-webpack configuration
# Enable auto-packing of external modules
custom:
  webpack:
    webpackConfig: ./webpack.config.js
    includeModules: true

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: us-east-1
  # To load environment variables externally
  # rename env.example to env.yml and uncomment
  # the following line. Also, make sure to not
  # commit your env.yml.
  #
  #environment: ${file(env.yml):${self:provider.stage}}

functions:
  # Defines an HTTP API endpoint that calls the main function in create.js
  # - path: url path is /notes
  # - method: POST request
  # - cors: enabled CORS (Cross-Origin Resource Sharing) for browser cross
  #     domain api call
  # - authorizer: authenticate using the AWS IAM role
  create:
    handler: create.main
    events:
      - http:
          path: notes
          method: post
          cors: true
          authorizer: aws_iam

  get:
    # Defines an HTTP API endpoint that calls the main function in get.js
    # - path: url path is /notes/{id}
    # - method: GET request
    handler: get.main
    events:
      - http:
          path: notes/{id}
          method: get
          cors: true
          authorizer: aws_iam

  list:
    # Defines an HTTP API endpoint that calls the main function in list.js
    # - path: url path is /notes
    # - method: GET request
    handler: list.main
    events:
      - http:
          path: notes
          method: get
          cors: true
          authorizer: aws_iam

  update:
    # Defines an HTTP API endpoint that calls the main function in update.js
    # - path: url path is /notes/{id}
    # - method: PUT request
    handler: update.main
    events:
      - http:
          path: notes/{id}
          method: put
          cors: true
          authorizer: aws_iam

  delete:
    # Defines an HTTP API endpoint that calls the main function in delete.js
    # - path: url path is /notes/{id}
    # - method: DELETE request
    handler: delete.main
    events:
      - http:
          path: notes/{id}
          method: delete
          cors: true
          authorizer: aws_iam

I have deployed the API endpoints with the command serverless deploy --aws-profile ***

I see the files in lambda as well as the endpoints in API gateway

In cloudwatch I see this log…

{ AccessDeniedException: User: arn:aws:sts::805584004321:assumed-role/notes-app-api-dev-us-east-1-lambdaRole/notes-app-api-dev-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:805584004321:table/notes
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: 'User: arn:aws:sts::805584004321:assumed-role/notes-app-api-dev-us-east-1-lambdaRole/notes-app-api-dev-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:805584004321:table/notes',
code: 'AccessDeniedException',
time: 2018-05-29T14:41:59.192Z,
requestId: '7BNH5VUR6OQRT4QBOAN5MK6EVJVV4KQNSO5AEMVJF66Q9ASUAAJG',
statusCode: 400,
retryable: false,
retryDelay: 38.72307729695298 }

The YAML file I see being referenced does not look like the one that was generated when I started the tutorial (only a couple days ago) it has a bunch of other stuff so I’m a bit confused about that too

2

It depends which step of the tutorial you are in currently. The master branch of the repo - https://github.com/AnomalyInnovations/serverless-stack-demo-api is when you have completed the tutorial.

But judging from your serverless.yml there is an iamRoleStatements section that is missing - https://github.com/AnomalyInnovations/serverless-stack-demo-api/blob/master/serverless.yml#L38.

That is probably what is causing the error.

3

Yes I missed that paste during that step, so I had all the functions but didn’t have the iamRoleStatements section

1 Like
4

@jayair I am having a similar access denied issue but mine seems to be occurring when I deploy my backend with: serverless deploy.

After entering the command into the terminal it all seems to work until I get a description of the services deployed in AWS.

I get a list of functions deployed to lamda as expected for create, get, list, etc notes but i get None for endpoints deployed on my API Gateway with the Cloud Formation Template.

After some investigation I look on the terminal and one of the serverless build process outputs is: Serverless: Uploading CloudFormation file to S3.

I look in my S3 and I see that bucket has been created and I drill down into the file structure created:
notes-serverlessdeplopymentbuck-123dcvbgrd2/serverless/notes/prod/<some time stamp> and I find a file called: compiled-cloudformation-template.json which has a link to an XML file that says that there was an Access Denied Error.

I have my serverless.xml file with the correct attributes as mentioned above. What can I do to investigate this further in order to determine why my Lambda functions are being deployed to AWS but not my API Gateway? Why are my endpoints not being created?

Thanks.

5

@jayair Jusrt FYI: I solved this by fixing the http: indentation in the serverless.yml file. I came across a doc you published discussing the indentation problem. Thanks!

1 Like
6

Glad you figured it out.