2

I'm trying to get this lambda function to read the database whenever a new object is inserted. The function was set up by following these steps, and I gave it access to the necessary operations in the command line.

However, on CloudWatch it still returns a 401 error. This is the function:

const axios = require('axios');
const gql = require('graphql-tag');
const graphql = require('graphql');
const { print } = graphql;

const getFriendRequest = gql`
  query GetFriendRequest($sender: ID!, $receiver: ID!) {
    getFriendRequest(sender: $sender, receiver: $receiver) {
      sender
      receiver
      createdAt
      updatedAt
    }
  }
`

exports.handler = async (event, context) => {
  //eslint-disable-line

  const record = event.Records[0];
  console.log(record);

  if (record.eventName == "INSERT") {
    try {
      console.log('in the axios phase');
      const graphqlData = await axios({
        url: process.env.API_FITNESSPROJECT_GRAPHQLAPIENDPOINTOUTPUT,
        method: 'post',
        headers: {
          'x-api-key': process.env.API_FITNESSPROJECT_GRAPHQLAPIIDOUTPUT
        },
        data: {
          query: print(getFriendRequest),
          variables: {
            sender: JSON.stringify(record.dynamodb.NewImage.receiver.S),
            receiver: JSON.stringify(record.dynamodb.NewImage.sender.S),
          }
        }
      })
      const body = {
        graphqlData: graphqlData.data.data.getFriendRequest
      }
      console.log(graphqlData.data.data.getFriendRequest);
      return {
        statusCode: 200,
        body: JSON.stringify(body),
        headers: {
          "Access-Control-Allow-Origin": "*",
        }
      }
    } catch (err) {
      console.log('error posting to appsync: ', err);
    }

    //read the friendrequest table to see if an opposing friend request appears
    //if so, read the friendship table to see if a friendship between these two users appears
    //if not, make a friendship
    //if so, increment the friendship's hifives.
  }

  return Promise.resolve('Successfully processed DynamoDB record');
};

I'm trying to read the table whenever someone inserts a new object into the table, but it returns a 401 error.

Edit: Here are the permission policies.

  1. amplify-lambda-execution-policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "appsync:Create*",
                "appsync:StartSchemaCreation",
                "appsync:GraphQL",
                "appsync:Get*",
                "appsync:List*",
                "appsync:Update*",
                "appsync:Delete*"
            ],
            "Resource": [
                "arn:aws:appsync:us-west-2:213277979580:apis/rmzuppsajfhzlfgjehczargowa/*"
            ],
            "Effect": "Allow"
        }
    ]
}
  1. amplify-lambda-execution-policy-FriendRequest
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:213277979580:table/FriendRequest-rmzuppsajfhzlfgjehczargowa-apisecure/stream/2020-12-11T07:48:02.462",
            "Effect": "Allow"
        }
    ]
}
  1. amplify-lambda-execution-policy-Friendship
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:us-west-2:213277979580:table/Friendship-rmzuppsajfhzlfgjehczargowa-apisecure/stream/2020-12-11T07:48:02.535",
            "Effect": "Allow"
        }
    ]
}
  1. lambda-execution-policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:us-west-2:213277979580:log-group:/aws/lambda/connectFriendRequests-apisecure:log-stream:*",
            "Effect": "Allow"
        }
    ]
}

edit 2: I've attempted to remove the function and remake it again with identical permissions, but I'm still getting the 401 error.

Improve this question
2
  • 2
    Hey Sean. Welcome to Stackoverflow. Can you please check in the IAM console the role of your Lambda and check if it really has the required permissions on the DynamoDB table? Commented Dec 14, 2020 at 13:57
  • Thanks. It has multiple permissions policies. I'm assuming the relevant one is the one that says "appsync:Create*, appsync:Get*", etc.. It seems to have the get and list operations. I'll edit the post to include these policies. Commented Dec 14, 2020 at 21:47

1 Answer 1

Reset to default
4

Found the solution. I had to enable IAM authorization on the API in addition to the default Cognito authorization. For people using Amplify, run an "amplify update api" in the command line to add IAM authorization. Then go into your schema and include IAM permissions on your table like in this doc.

I learned you needed to add explicit authorization for the lambda function from here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.