+++ title = "Granting permissions" weight = 600 +++ ## Allow Lambda to read/write our DynamoDB table Let's give our Lambda's execution role permissions to read/write from our table. Go back to `hitcounter.go` and add the following highlighted lines: {{}} package hitcounter import ( "github.com/aws/aws-cdk-go/awscdk/v2/awsdynamodb" "github.com/aws/aws-cdk-go/awscdk/v2/awslambda" "github.com/aws/constructs-go/constructs/v10" "github.com/aws/jsii-runtime-go" ) type HitCounterProps struct { Downstream awslambda.IFunction } type hitCounter struct { constructs.Construct handler awslambda.IFunction } type HitCounter interface { constructs.Construct Handler() awslambda.IFunction } func NewHitCounter(scope constructs.Construct, id string, props *HitCounterProps) HitCounter { this := constructs.NewConstruct(scope, &id) table := awsdynamodb.NewTable(this, jsii.String("Hits"), &awsdynamodb.TableProps{ PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("path"), Type: awsdynamodb.AttributeType_STRING}, }) handler := awslambda.NewFunction(this, jsii.String("HitCounterHandler"), &awslambda.FunctionProps{ Runtime: awslambda.Runtime_NODEJS_16_X(), Handler: jsii.String("hitcounter.handler"), Code: awslambda.Code_FromAsset(jsii.String("lambda"), nil), Environment: &map[string]*string{ "DOWNSTREAM_FUNCTION_NAME": props.Downstream.FunctionName(), "HITS_TABLE_NAME": table.TableName(), }, }) table.GrantReadWriteData(handler) return &hitCounter{this, handler} } func (h *hitCounter) Handler() awslambda.IFunction { return h.handler } {{}} ## Deploy Save & deploy: ``` cdk deploy ``` ## Test again Okay, deployment is complete. Let's run our test again (either use `curl` or your web browser): ``` curl -i https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/prod/ ``` Again? ``` HTTP/2 502 Bad Gateway ... {"message": "Internal server error"} ``` # 😢 Still getting this pesky 5xx error! Let's look at our CloudWatch logs again (click "Refresh"): ```json { "errorMessage": "User: arn:aws:sts::585695036304:assumed-role/CdkWorkshopStack-HelloHitCounterHitCounterHandlerS-TU5M09L1UBID/CdkWorkshopStack-HelloHitCounterHitCounterHandlerD-144HVUNEWRWEO is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:585695036304:function:CdkWorkshopStack-HelloHandler2E4FBA4D-149MVAO4969O7", "errorType": "AccessDeniedException", "stackTrace": [ "Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:48:27)", "Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:52:8)", "Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:105:20)", "Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:77:10)", "Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)", "Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)", "AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)", "/var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10", "Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)", "Request. (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)" ] } ``` Another access denied, but this time, if you take a close look: ``` User: is not authorized to perform: lambda:InvokeFunction on resource: " ``` So it seems like our hit counter actually managed to write to the database. We can confirm by going to the [DynamoDB Console](https://console.aws.amazon.com/dynamodb/home): ![](./logs5.png) But, we must also give our hit counter permissions to invoke the downstream lambda function. ## Grant invoke permissions Add the highlighted lines to `hitcounter.go`: {{}} package hitcounter import ( "github.com/aws/aws-cdk-go/awscdk/v2/awsdynamodb" "github.com/aws/aws-cdk-go/awscdk/v2/awslambda" "github.com/aws/constructs-go/constructs/v10" "github.com/aws/jsii-runtime-go" ) type HitCounterProps struct { Downstream awslambda.IFunction } type hitCounter struct { constructs.Construct handler awslambda.IFunction } type HitCounter interface { constructs.Construct Handler() awslambda.IFunction } func NewHitCounter(scope constructs.Construct, id string, props *HitCounterProps) HitCounter { this := constructs.NewConstruct(scope, &id) table := awsdynamodb.NewTable(this, jsii.String("Hits"), &awsdynamodb.TableProps{ PartitionKey: &awsdynamodb.Attribute{Name: jsii.String("path"), Type: awsdynamodb.AttributeType_STRING}, }) handler := awslambda.NewFunction(this, jsii.String("HitCounterHandler"), &awslambda.FunctionProps{ Runtime: awslambda.Runtime_NODEJS_16_X(), Handler: jsii.String("hitcounter.handler"), Code: awslambda.Code_FromAsset(jsii.String("lambda"), nil), Environment: &map[string]*string{ "DOWNSTREAM_FUNCTION_NAME": props.Downstream.FunctionName(), "HITS_TABLE_NAME": table.TableName(), }, }) table.GrantReadWriteData(handler) props.Downstream.GrantInvoke(handler) return &hitCounter{this, handler} } func (h *hitCounter) Handler() awslambda.IFunction { return h.handler } {{}} ## Diff You can check what this did using `cdk diff`: ``` cdk diff ``` The **Resource** section should look something like this, which shows the IAM statement was added to the role: ``` Resources [~] AWS::IAM::Policy HelloHitCounter/HitCounterHandler/ServiceRole/DefaultPolicy HelloHitCounterHitCounterHandlerServiceRoleDefaultPolicy1487A60A └─ [~] PolicyDocument └─ [~] .Statement: └─ @@ -19,5 +19,15 @@ [ ] "Arn" [ ] ] [ ] } [+] }, [+] { [+] "Action": "lambda:InvokeFunction", [+] "Effect": "Allow", [+] "Resource": { [+] "Fn::GetAtt": [ [+] "HelloHandler2E4FBA4D", [+] "Arn" [+] ] [+] } [ ] } [ ] ] ``` Which is exactly what we wanted. ## Deploy Okay... let's give this another shot: ``` cdk deploy ``` Then hit your endpoint with `curl` or with your web browser: ``` curl -i https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/prod/ ``` Output should look like this: ``` HTTP/2 200 OK ... Hello, CDK! You've hit / ``` > If you still get 5xx, give it a few seconds and try again. Sometimes API Gateway takes a little bit to "flip" the endpoint to use the new deployment. # 😲