Function resolver using AppSync's DDB tables

[TeoTN]

Hey, I'm trying to define a mutation using function resolver created with amplify function add, that would perform a batch update on dynamodb tables created by appsync graphql api - I basically need to perform a few updates as one atomic operation.

When I call the mutation though, it fails with following error:

GraphQL error: User: arn:aws:sts::111111111111:assumed-role/appnameLambdaRole1234abcd-dev/appname-resolvers-dev is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-1:111111111111:table/Tablename-dev

While I could attach appropriate policy to the role, it doesn't seem a good solution, I'd like to keep that in my code. I've tried using amplify function update but it doesn't let me allow the function to access the storage used by appsync.
How can I actually do this?

[kaustavghosh06]

@TeoTN Currently the function module doesn't allow you to add/edit permissions for the DDB tables created by the GraphQL transformer. But there's a PR out for it - #2463 which would enable you to do that. For now you would have to maintain a custom stack to do this.

[kaustavghosh06]

We recently added a feature to attach a trigger to the DDB tables generated by the GraphQL transformer. You can checkout the documentation out here - https://aws-amplify.github.io/docs/cli-toolchain/quickstart#as-a-part-of-the-graphql-api-types-with-model-annotation

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.