question

atobrandon avatar image
atobrandon asked

How can I use DynamoDBAdapter with an Alexa Hosted Skill and have access to persistent_attributes?

I'm trying to use DynamoDB with an Alexa Hosted Skill and I'm running into what appears to be a permissions issue. I followed the instructions at https://developer.amazon.com/docs/hosted-skills/build-a-skill-end-to-end-using-an-alexa-hosted-skill.html#personal. However, instead of manually writing the code to access the DB, I was hoping to be able to use the persistent_attributes. I've tried both the StandardSkillBuilder and the CustomSkillBuilder, but neither one has allowed me to successfully use DynamoDB.


Here's the error message I'm seeing in the logs:

[ERROR] PersistenceException: Create table if not exists request failed: Exception of type ClientError occurred: An error occurred (AccessDeniedException) when calling the CreateTable operation: User: arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:XXXXX:table/table-name-here
Traceback (most recent call last):
  File "/var/lang/lib/python3.7/imp.py", line 234, in load_module
    return load_source(name, filename, file)
  File "/var/lang/lib/python3.7/imp.py", line 171, in load_source
    module = _load(spec)
  File "<frozen importlib._bootstrap>", line 696, in _load
  File "<frozen importlib._bootstrap>", line 677, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 728, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/var/task/lambda_function.py", line 1421, in <module>
    dynamodb_adapter = DynamoDbAdapter(table_name="table-name-here", create_table=True)
  File "/var/task/ask_sdk_dynamodb/adapter.py", line 102, in __init__
    self.__create_table_if_not_exists()
  File "/var/task/ask_sdk_dynamodb/adapter.py", line 244, in __create_table_if_not_exists
    type(e).__name__, str(e)))


I was trying to allow the code to create the table itself since I wasn't completely sure what the partition key and sort key needed to be to work with using persistable_attributes. However, just to see if it would work, I tried setting create_table=False and then the error message changes what permission is being denied, but it still doesn't work. Instead, I get this error:


botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetItem operation: User: arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:XXXXX:table/phone-number-lookup-state


I've tried a few times to create a role with the appropriate permissions, I even went to far as to try to temporarily create a role with Full DynamoDB Admin Access.

The only thing I knew to select as the trusted entity on the first step of role creation was Lambda. I was thinking I'd see something here specific to Alexa Hosted Skills, but I didn't:

So when creating the role, I selected Lambda, Checked AmazonDynamoDBFullAccess, gave it a name and then tried to edit the trust relationships as instructed. However, I wasn't completely clear on the instructions for this step either. Should the existing policy statement be modified in my case or is it better to leave it there and just add the new one? I tried it both ways and it didn't help.


Here's the latest trust relationship policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXX:role/AlexaHostedSkillLambdaRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


I noticed that in the error log the ARN appears to be arn:aws:sts::XXXXX:assumed-role/AlexaHostedSkillLambdaRole/XXXXX where the second set of XXXXX is a guid, but the ARN copied from my Alexa hosted skill link is different. It doesn't include the guid, has iam instead of sts, and has role instead of assumed-role. It is in the format: arn:aws:iam::XXXXX:role/AlexaHostedSkillLambdaRole. I took the ARN from the error message and changed the trust relationship policy to use that ARN instead, but that didn't seem to help either. Now I'm stumped about what to try next.


Do I have to give up the using the persistent_attributes and/or the benefits of an Alexa hosted skill and make my own Lambda function to get this to work?


alexa skills kitapidynamodbalexa hosted skills
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

atobrandon avatar image
atobrandon answered

After a few days of struggle, I think the main issue is that I needed to copy the ARN from the role that I set up in the IAM console and use that in the code instead of the ARN of the skill. Once that became apparent to me, I finally got past this roadblock. :-D

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Can you explain how you solved this? I don't understand what you mean by "use that in the code".

1 Like 1 ·
newuser-15e03126-56f8-475d-afb1-65b60d32a07c avatar image
newuser-15e03126-56f8-475d-afb1-65b60d32a07c answered

@atobrandon, I am stuck on the same issue. How do we use the ARN of the IAM console into the code - the Alexa hosted Lambda? I am stuck on the same issue.

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@NewUser-15e03126-56f8-475d-afb1-65b60d32a07c - did you ever solve this problem?

0 Likes 0 ·
Amazon_Bernardo Bezerra avatar image
Amazon_Bernardo Bezerra answered

Hi @Anthony Bryan and @NewUser-15e03126-56f8-475d-afb1-65b60d32a07c.

In the Cake Walk tutorial it is explained how you can add attribute persistence in an Alexa Hosted Skill using DynamoDB.

I hope it helps you.

Regards,
Barry

2 comments
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@barry@amazon - If you look at the Cakewalk tutorial that is not correct, but if you could share the piece with correct information would be grateful. Thank you.

0 Likes 0 ·
Amazon_Bernardo Bezerra avatar image Amazon_Bernardo Bezerra ♦♦ newuser-09ed25b3-2bd6-4dd4-bd61-25381e2e0c61 ·

Hello and thank you for your message.

The documentation has been updated and is now referring only to AWS S3. This page explains how to use your own personal AWS resources in conjunction with your Alexa-Hosted skill.

Regards,
Barry

0 Likes 0 ·