Aws-sdk-net: Is it possible to manually supply the DynamoDB table ARN in AmazonDynamoDBConfig?

Created on 30 Aug 2018 · 8Comments · Source: aws/aws-sdk-net

Expected Behavior

There should be a property within AmazonDynamoDBConfig class to specify the DynamoDB table ARN.

Current Behavior

When copying the code (no hardcoded value and table name is identical) from one AWS account to another, access to DynamoDB failed. I suspect the endpoint has changed (account number is changed).

~Possible~ Current Solution

Need to provide developers with Access Key to deploy directly themselves from IDE.

Steps to Reproduce (for bugs)

Use IDE to deploy a function that access a dynamodb table.
Confirm it works in account A.
Manually create the function in account B and import the deployment package downloaded from account A.
Create a new dynamodb table with same table name in account B.
Run the function, it failed when trying to read/write to the table.

Context

Our developers use Visual Studio Lambda plugin to deploy dotnetcore app to a AWS account. When moving this app to a different account (this one), we did not use VS plugin but a CloudFormation template to deploy Lambda config and other AWS resources (S3, DynamoDB table, etc). Then the Lambda code is exported and uploaded to new lambda.

However we ran into an issue when calling the Lambda from this account (QA): the lambda tried to write to DynamoDB table in the original account (Dev). We looked everywhere but couldn't find where the IDE plugin specify the value for DynamoDB table. AWS SDK for .NET only allow us to supply the region (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/CodeSamples.DotNet.html#CodeSamples.DotNet.RegionAndEndpoint).

My guess is that when we deploy the app from IDE (where AWS access key is installed), the plugin somehow creates the DynamoDB endpoint based on the key with account name and hashes the endpoint. Is there anyway we can specify the new DynamoDB endpoint?

I also submitted a support ticket to AWS.

closing-soon guidance

Source

gl-lamhnguyen

Most helpful comment

What about when you want to connect to DDB's in other accounts/regions?

jverce on 11 Sep 2019

👍3

All 8 comments

Hi! Why do you need to specify the endpoint? The SDK should automatically figure out the endpoint for you based on the region property of the config file.

sstevenkang on 30 Aug 2018

@sstevenkang Hey, so like I mentioned in the context part, I "copied" the lambda from one account to another (deploy without using IDE), and the DynamoDB connection stopped working. It's likely due to the lambda trying to reach the Dynamodb table in the original account.

gl-lamhnguyen on 30 Aug 2018

Right, I think we need a little more context here. Could you share code stripped of sensitive information on how you are accessing the table?

sstevenkang on 30 Aug 2018

Here it is:

```
private void InsertRecord(TableName record)
{
var client = new AmazonDynamoDBClient();
var context = new DynamoDBContext(client);

        var task = context.SaveAsync(record);

        task.Wait();

        if(task.IsCompletedSuccessfully)
        {
            Lambda.Logger.LogLine($"Inserted record for file {record.Filename} into DynamoDB...");
            return;
        }

        Lambda.Logger.LogLine($"Failed to insert record for file {record.Filename} into DynamoDB due to error {task.Exception.Message}!");

    }

```

Where TableName is the reference to dynamodb table

gl-lamhnguyen on 31 Aug 2018

What does TableName type look like? I still don't understand what you mean by We looked everywhere but couldn't find where the IDE plugin specify the value for DynamoDB table..

Have you verified that the table exists in the account?

The next step would be to run Fiddler and see what the request to DynamoDB service actually looks like underneath.

sstevenkang on 31 Aug 2018

So from the original account (where we deploy using VS with AWS SDK plugin), we created a table name TableName and just reference it from this code. When we copied the stack to the second account, we also created a table named TableName, but the code failed. For AWS Dynamodb, table name is not unique (like S3) and the ARN of DynamoDB contains the account number.

gl-lamhnguyen on 31 Aug 2018

👍1

This sounds like an access permissions issue. If you are still having problems with this, consider using IAM federated identities or Cognito so you don't have to share your account credentials with other developers.