Monthly Archives: August 2018

Serverless User: arn:aws:iam::etc is not authorized to perform: dynamodb:PutItem on resource

When following the serverless tutorial here I got an error message which was really hard to debug. Running the following:

AWS_PROFILE=rukaya serverless invoke local --function create --path mocks/create-event.json --aws-profile rukaya

gave an error message like this: “User: [some ARN] is not authorized to perform: dynamodb:PutItem on resource”.

I set up a role for my user, I gave the role almost every permission under the sun, I gave the user account itself the permissions directly, but no joy.

I have two aws accounts set up on this machine – one for my personal stuff and one for work. The personal one is called ‘rukaya’, the work one has my company’s name in it. It took me quite a while to explicitly check the arn number realise that AWS was using my work account even though I was setting AWS_PROFILE and using –aws-profile in the serverless command.

The reason serverless was ignoring my commands is not because it hates me (my theory for the past half hour), but because I had forgotten I was setting AWS_SECRET_ACCESS_KEY=worksecret and AWS_ACCESS_KEY_ID=workkeyid in my environment variables for a script. Unsetting that sorted the problem. It’s pretty silly that your environment variables override your explicit commands, but *shrug*.

Anyway, nobody else on the internet seems to have had this issue so perhaps I’m the first, but I’m posting this on the off chance someone else encounters this.