I'm trying to use DynamoDB with an Alexa Hosted Skill and I'm running into what appears to be a permissions issue. I followed the instructions at https://developer.amazon.com/docs/hosted-skills/build-a-skill-end-to-end-using-an-alexa-hosted-skill.html#personal. However, instead of manually writing the code to access the DB, I was hoping to be able to use the persistent_attributes. I've tried both the StandardSkillBuilder and the CustomSkillBuilder, but neither one has allowed me to successfully use DynamoDB.
Here's the error message I'm seeing in the logs:
[ERROR] PersistenceException: Create table if not exists request failed: Exception of type ClientError occurred: An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:XXXXX:table/table-name-here Traceback (most recent call last): File "/var/lang/lib/python3.7/imp.py", line 234, in load_module return load_source(name, filename, file) File "/var/lang/lib/python3.7/imp.py", line 171, in load_source module = _load(spec) File "<frozen importlib._bootstrap>", line 696, in _load File "<frozen importlib._bootstrap>", line 677, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 728, in exec_module File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed File "/var/task/lambda_function.py", line 1421, in <module> dynamodb_adapter = DynamoDbAdapter(table_name="table-name-here", create_table=True) File "/var/task/ask_sdk_dynamodb/adapter.py", line 102, in __init__ self.__create_table_if_not_exists() File "/var/task/ask_sdk_dynamodb/adapter.py", line 244, in __create_table_if_not_exists type(e).__name__, str(e)))
I was trying to allow the code to create the table itself since I wasn't completely sure what the partition key and sort key needed to be to work with using persistable_attributes. However, just to see if it would work, I tried setting create_table=False and then the error message changes what permission is being denied, but it still doesn't work. Instead, I get this error:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetItem operation: User: arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:XXXXX:table/phone-number-lookup-state
I've tried a few times to create a role with the appropriate permissions, I even went to far as to try to temporarily create a role with Full DynamoDB Admin Access.
The only thing I knew to select as the trusted entity on the first step of role creation was Lambda. I was thinking I'd see something here specific to Alexa Hosted Skills, but I didn't:
So when creating the role, I selected Lambda, Checked AmazonDynamoDBFullAccess, gave it a name and then tried to edit the trust relationships as instructed. However, I wasn't completely clear on the instructions for this step either. Should the existing policy statement be modified in my case or is it better to leave it there and just add the new one? I tried it both ways and it didn't help.
Here's the latest trust relationship policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXX:role/AlexaHostedSkillLambdaRole" }, "Action": "sts:AssumeRole" } ] }
I noticed that in the error log the ARN appears to be arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX where the second set of XXXXX is a guid, but the ARN copied from my Alexa hosted skill link is different. It doesn't include the guid, has iam instead of sts, and has role instead of assumed-role. It is in the format: arn:aws:iam::XXXXX:role/AlexaHostedSkillLambdaRole. I took the ARN from the error message and changed the trust relationship policy to use that ARN instead, but that didn't seem to help either. Now I'm stumped about what to try next.
Do I have to give up the using the persistent_attributes and/or the benefits of an Alexa hosted skill and make my own Lambda function to get this to work?