Facing same issue ... CognitoIdentityCredentials is not authorized to perform: dynamodb:Query on resource

If you were getting issue like this

{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::0123456789:assumed-role/xxx_auth_MOBILEHUB_123456/CognitoIdentityCredentials is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:0123456:table/xxx-mobilehub-638986677-tasks/index/DateSorted"}

It could be a permission issue. Edit inline JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-1: 0123456789:table/lexbot-mobilehub-0123456-tasks*"
            ]
        }
    ]
}

Please note , resource should be your dynamo ARN and notice * at the end.

You're right. The bug is that when you create the DynamoDB table, the table is added to the policy but the index is not. I think the bug is in the awsmobile cli. It seems to create the user ok and it's index, but adding a table and index via cli only adds the table to the policy

"arn:aws:dynamodb:us-east-1:677548906110:table/test-mobilehub-558515137-AWSMobileTable",
"arn:aws:dynamodb:us-east-1:677548906110:table/test-mobilehub-558515137-AWSMobileTable/index/personName-index",      
"arn:aws:dynamodb:us-east-1:677548906110:table/test-mobilehub-558515137-tasks"

The issue is the instructions to set up the table are missing the step to add the DateSorted column. There are instructions to add the index to DateSorted, but not to add the column

I think DateSorted is index name and you don't need to create a column named "DateSorted" ... Main issue was cognito user did not have permission to access the index as it was not added in the policy. If you add * at the end of tasks arn , any resource related to tasks table will be included. I was able to run the demo adding * at the end of arn.

You're right, you don't need to add the column. You are partially correct about the index. Adding * does work but you have now enabled access to everything under that table. If you follow the instructions regarding adding the index you end up with

"arn:aws:dynamodb:us-east-1:677548906110:table/test-mobilehub-558515137-tasks",
"arn:aws:dynamodb:us-east-1:677548906110:table/test-mobilehub-558515137-tasks/index/DateSorted"

@LXensen that's the perfect solution. Adding index explicitly rather using *. Thank you !

@LXensen @just4give I am new to Ionic and AWS and trying to setup this starter project. Could you explain in a little more detail how I can edit the inline JSON to fix this issue?

@emmafass if you login to your aws console , you can search for IAM. Once you are there, on left hand pane, you should see a menu "Roles" . Click on that. Then you should see all the roles. The one you need to look for should have a name with auth_MOBILEHUB /unauth_MOBILEHUB ( if you created mobile hub project ) . You need to click on that role. It will show all the permissions for that role. You should look for permission name nosqldatabase_MOBILEHUB . If you expand that ( click on the triangle icon) you should see a button "Edit JSON" . That's the JSON you need to edit. Please let me know if this helps.

Find the Role in IAM that was created by the CLI ( it will be something like YOUR_PROJECT_NAME_auth_MOBILEHUB_XXXXXXXXX - where x is some obscure number). Click on that role. In the Permissions tab, find the Policy name for nosqldatabase that matches the Role name ( YOUR_PROJECT_NAME_nosqldatabase_MOBILEHUB_XXXXXXXXX ). Click the arrow on the left to expand the policy and the index as I pointed out in the previous comment

Thanks so much! That worked :)

For some reason awsmobile database configure did not allow me to set up the index in the command line. I just did it on the console instead and then made the changes you guys recommended. It is all working now!

@emmafass I had exact same issue and I created the index on the console too.

I think we all had the same issue. I think that's where the bug is.

You can also use the awsmobile CLI to edit the configuration after it fails. I did it that way and it updated the JSON policy properly.

Now if one of you cold help me out with my other problem that'd be great ;-))

@LXensen what is your other issue?

I can't access a DynamoDB table that I created outside the CLI.

I've used the previous version of this Starter. In that Starter, if I created a DynamoDB table within DynamoDB console, copied the ARN and added it to the Policy created by the Starter ( just like we are discussing here ) I was able to access it via the application. But now I'm getting a permissions issue. I even raised a second ticket:

https://github.com/ionic-team/starters/issues/48

The aws.dynamodb.ts is different in the previous version also. Credentials were not required when creating the DocumentClient. I tried this approach in the new version but I get a 'Error: Missing credentials in config' error

import { Injectable } from '@angular/core';

declare var AWS: any;

@Injectable()
export class DynamoDB {

  private documentClient: any;

  constructor() {
    this.documentClient = new AWS.DynamoDB.DocumentClient();
  }

  getDocumentClient() {
    return this.documentClient;
  }

}

Aaaaand I figured it out: I was using the scan function incorrectly. Here is my solution:

  onScan(err, data){
    if(err){ 
      console.log('eror is '   err)
    }else{ 
      console.log(data)
    };
  }

  test(){
    const params = {
      'TableName': this.questionsTable,
    };
  
    this.db.getDocumentClient()
    .then(client => client.scan(params, this.onScan))
  }

I copied the example from the Task file and modified it

  this.db.getDocumentClient()
  .then(client => client.scan(params, this.onScan).promise())
  .then(data => console.log(data))
  .catch(err => console.log(err));

I have a requirement for encrypted tables. Since the CLI does not allow you to create an encrypted table, you would have to do that through the DynamoDB console

For everyone having this problem, just create the table with the cli but don't add the index, run awsmobile database configure and edit your table (in this case tasks) and then add the index.

Your app will work without problem. As others have pointed out, it seems to be a bug with the awsmobile cli.