Deploy the APIs - Access Denied Error


I’ve gotten to this step and I’m trying to figure out where my IAM has gone south.

To recap:

  • I can locally execute all the API calls with no problems
  • They deploy fine to /dev

But when I run npx I get:

Authenticating with User Pool
Getting temporary credentials
Making API request
{ status: 500,
  statusText: 'Internal Server Error',
  data: { status: false } }
  • I verified that the account created in the User Pool has access
  • In Cloudwatch logs I see

AccessDeniedException: User: arn:aws:sts::[trimmed user id]:assumed-role/notes-app-api-dev-us-west-2-lambdaRole/notes-app-api-dev-create is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-west-2:[trimmed user id]:table/notes

I have a hunch it is a role issue but I believe the authenticated role noted in the Federated Identity Pool has the correct permissions per the article.

Am I missing something obvious?


Self - solved… the serverless.yml was malformed (the iamRoleStatements block was not indented enough and was ignored by the deploy statement)… wish it complained about that!

Yeah sadly it doesn’t do that. We try to add little pointers in the various spots in the tutorial to help people catch it but it can be tricky.

Thanks for the reply, yeah, I felt silly when I finally figured it out!