Allow Lambda to read/write our DynamoDB table #
Let’s give our Lambda’s execution role permissions to read/write from our table.
Go back to hitcounter.go and add the following highlighted lines:
package hitcounter
import (
"github.com/aws/aws-cdk-go/awscdk/v2/awsdynamodb"
"github.com/aws/aws-cdk-go/awscdk/v2/awslambda"
"github.com/aws/constructs-go/constructs/v10"
"github.com/aws/jsii-runtime-go"
)
type HitCounterProps struct {
Downstream awslambda.IFunction
}
type hitCounter struct {
constructs.Construct
handler awslambda.IFunction
}
type HitCounter interface {
constructs.Construct
Handler() awslambda.IFunction
}
func NewHitCounter(scope constructs.Construct, id string, props *HitCounterProps) HitCounter {
this := constructs.NewConstruct(scope, &id)
table := awsdynamodb.NewTable(this, jsii.String("Hits"), &awsdynamodb.TableProps{
PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("path"), Type: awsdynamodb.AttributeType_STRING},
})
handler := awslambda.NewFunction(this, jsii.String("HitCounterHandler"), &awslambda.FunctionProps{
Runtime: awslambda.Runtime_NODEJS_16_X(),
Handler: jsii.String("hitcounter.handler"),
Code: awslambda.Code_FromAsset(jsii.String("lambda"), nil),
Environment: &map[string]*string{
"DOWNSTREAM_FUNCTION_NAME": props.Downstream.FunctionName(),
"HITS_TABLE_NAME": table.TableName(),
},
})
table.GrantReadWriteData(handler)
return &hitCounter{this, handler}
}
func (h *hitCounter) Handler() awslambda.IFunction {
return h.handler
}Deploy #
Save & deploy:
cdk deploy
Test again #
Okay, deployment is complete. Let’s run our test again (either use curl or
your web browser):
curl -i https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/prod/
Again?
HTTP/2 502 Bad Gateway
...
{"message": "Internal server error"}
😢 #
Still getting this pesky 5xx error! Let’s look at our CloudWatch logs again (click “Refresh”):
{
"errorMessage": "User: arn:aws:sts::585695036304:assumed-role/CdkWorkshopStack-HelloHitCounterHitCounterHandlerS-TU5M09L1UBID/CdkWorkshopStack-HelloHitCounterHitCounterHandlerD-144HVUNEWRWEO is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:585695036304:function:CdkWorkshopStack-HelloHandler2E4FBA4D-149MVAO4969O7",
"errorType": "AccessDeniedException",
"stackTrace": [
"Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)",
"Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:52:8)",
"Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)",
"Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)"
]
}
Another access denied, but this time, if you take a close look:
User: <VERY-LONG-STRING> is not authorized to perform: lambda:InvokeFunction on resource: <VERY-LONG-STRING>"
So it seems like our hit counter actually managed to write to the database. We can confirm by going to the DynamoDB Console:
But, we must also give our hit counter permissions to invoke the downstream lambda function.
Grant invoke permissions #
Add the highlighted lines to hitcounter.go:
package hitcounter
import (
"github.com/aws/aws-cdk-go/awscdk/v2/awsdynamodb"
"github.com/aws/aws-cdk-go/awscdk/v2/awslambda"
"github.com/aws/constructs-go/constructs/v10"
"github.com/aws/jsii-runtime-go"
)
type HitCounterProps struct {
Downstream awslambda.IFunction
}
type hitCounter struct {
constructs.Construct
handler awslambda.IFunction
}
type HitCounter interface {
constructs.Construct
Handler() awslambda.IFunction
}
func NewHitCounter(scope constructs.Construct, id string, props *HitCounterProps) HitCounter {
this := constructs.NewConstruct(scope, &id)
table := awsdynamodb.NewTable(this, jsii.String("Hits"), &awsdynamodb.TableProps{
PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("path"), Type: awsdynamodb.AttributeType_STRING},
})
handler := awslambda.NewFunction(this, jsii.String("HitCounterHandler"), &awslambda.FunctionProps{
Runtime: awslambda.Runtime_NODEJS_16_X(),
Handler: jsii.String("hitcounter.handler"),
Code: awslambda.Code_FromAsset(jsii.String("lambda"), nil),
Environment: &map[string]*string{
"DOWNSTREAM_FUNCTION_NAME": props.Downstream.FunctionName(),
"HITS_TABLE_NAME": table.TableName(),
},
})
table.GrantReadWriteData(handler)
props.Downstream.GrantInvoke(handler)
return &hitCounter{this, handler}
}
func (h *hitCounter) Handler() awslambda.IFunction {
return h.handler
}Diff #
You can check what this did using cdk diff:
cdk diff
The Resource section should look something like this, which shows the IAM statement was added to the role:
Resources
[~] AWS::IAM::Policy HelloHitCounter/HitCounterHandler/ServiceRole/DefaultPolicy HelloHitCounterHitCounterHandlerServiceRoleDefaultPolicy1487A60A
└─ [~] PolicyDocument
└─ [~] .Statement:
└─ @@ -19,5 +19,15 @@
[ ] "Arn"
[ ] ]
[ ] }
[+] },
[+] {
[+] "Action": "lambda:InvokeFunction",
[+] "Effect": "Allow",
[+] "Resource": {
[+] "Fn::GetAtt": [
[+] "HelloHandler2E4FBA4D",
[+] "Arn"
[+] ]
[+] }
[ ] }
[ ] ]
Which is exactly what we wanted.
Deploy #
Okay… let’s give this another shot:
cdk deploy
Then hit your endpoint with curl or with your web browser:
curl -i https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/prod/
Output should look like this:
HTTP/2 200 OK
...
Hello, CDK! You've hit /
If you still get 5xx, give it a few seconds and try again. Sometimes API Gateway takes a little bit to “flip” the endpoint to use the new deployment.