Creating an AWS IAM Role allowing API Gateway to access DynamoDB

IAM stands for Identity Access Management and is used in AWS to permit users or services to access other services. IAM can be accessed in the AWS console by filtering the services panel with a search term of IAM. In this blog post, I am going to discuss the steps that need to be taken to create an IAM role allowing API Gateway to perform READ and WRITE operations on DynamoDB.

From the AWS Service panel, search for IAM and go to the IAM Dashboard and select Roles from the side panel.

To create a new role, click “Create role” and select API Gateway. You will be presented with a default use case selection of “API Gateway” allowing API Gateway to push logs to CloudWatch. Click “Next: Permissions”

The policy for CloudWatch access is displayed in the next screen. Click “Next: Tags” to proceed.

Add tags to your new role if you like. You could add a meaningful tag that would allow you to reference the role in the future such as “Application” with a value of “CRUD application name”. Click “Next: Tags” to proceed to the Review screen. Enter a name for the new Role as well as a description and click “Create Role”.

The new role has been created and you should be presented with the roles dashboard. We now need to add the dynamoDB access policy to the role. To do this, find the new role and click on the role name to be taken to the role summary view.

Click the “Attach policies” button and find the AmazonDynamoDBFullAccess policy. Select the policy and click “Attach policy”.

The new role can now be used within API Gateway to access DynamoDB. You can specify which operations the role should have by changing which DynamoDB policy to use as well as creating a custom policy where you specify which DynamoDB actions to use.