Cannot Create a trigger on a DynamoDB created with the CLI

[horacioh]

Describe the bug
I tried to create a trigger from a DynamoDB table created from the CLI but I got some errors on the console

To Reproduce

1. amplify add api: and create a simple model (im my case I create this:

type Lead @model {
  id: ID!
  fullname: String!
  email: AWSEmail!
  phone: String!
  serviceType: Service
  comment: String
}

enum Service {
  RESIDENCIAL
  COMERCIAL
  INDUSTRIAL
}

1. amplify add function: create a simple function. add whatever name. no edit needed
2. amplify push
3. amplify api console
4. go to the triggers tab and create a new trigger from an existing Lambda Function
5. in the popup, Select the previous function created and leave the other inputs as is.
6. click on create nad you will see the error below

Cannot access stream arn:aws:dynamodb:eu-west-1:115238827609:table/Lead-xwwfwne24nd43feacszaupqof4-staging/stream/2019-08-25T15:08:37.527. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM. (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4f297881-6498-49c3-b237-97e902972409)

Expected behavior
I expect the trigger to be created and let me edit/update my function on my editor and push it via the amplify cli.

Screenshots

Desktop (please complete the following information):
Model Name: MacBook Pro
Model Identifier: MacBookPro11,3
Processor Name: Intel Core i7
Processor Speed: 2.5 GHz
Number of Processors: 1
Total Number of Cores: 4
L2 Cache (per Core): 256 KB
L3 Cache: 6 MB
Memory: 16 GB

Google Chrome:

  Version: 76.0.3809.100
  Obtained from: Identified Developer
  Last Modified: 8/6/19, 2:29 AM
  Kind: Intel
  64-Bit (Intel): Yes

Additional context
I tried it with a function created from the cli and with another functionc reated directly in the console. on both cases I got the same error so my assumption is that cloudformation is not doing something on the DynamoDB and prevent this to work properly.

[kaustavghosh06]

@horacioh For the function to process DDB streams - you would need to add polcies to the Lambda function execution role if you're doing it via the console. You would need these polcies:

        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:region:accountID:table/BarkTable/stream/*"
        }

[horacioh]

thanks for the solution @kaustavghosh06 !
I'm not too familiar with all AWS tools, can you give me a more detailed step by step?

• where do I need to add this code you mentioned?
• do I need to change something in the console?
• can everything be done via de CLI and this snippet?

thanks!

[kaustavghosh06]

@horacioh Sorry for the late response:

1. You would need to modify this via the console for tables managed by the GraphQL transformer, but this should soon be addressed out of the box - as a part of the CLI - as a part of this PR - Ability to add custom EventSource and lambda triggers via amplify add function, Kinesis support in analytics category #2463

2. In the meanwhile, you can go the Lambda console - go to your Lambda function trigger -> Find out the Lambda Execution Role Name -> Attach the policy mentioned above as a part of the Lambda execution role in the IAM console.

3. Answered in 1.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.