Beetroot LogoBeetroot

API Lambda IAM Role

Create a role for the API Lambda.

Goal

Create an IAM role for the API Lambda that can:

  • read people metadata from DynamoDB (Persons)
  • query person → photo mappings from DynamoDB (Occurrences)
  • fetch photo metadata from DynamoDB (Photos)
  • write logs to CloudWatch

Least privilege

Do not use broad policies like AdministratorAccess. We'll grant only the exact permissions this Lambda needs.

Create the IAM role

  1. Go to IAM → Roles → Create role
  2. Trusted entity: AWS service
  3. Use case: Lambda
  4. Click on Next
  5. Skip to Step 3 by clicking on Name, review and create on the step indicator
  6. Role name: beetroot-api-role
  7. Click Create role

Add logging permissions

  1. Open the role: IAM → Roles → beetroot-ingest-role
  2. Go to Permissions → Add permissions → Attach policies
  3. Select: AWSLambdaBasicExecutionRole
  4. Click Add Permissions

Create the permissions policy

We'll build a least-privilege policy using the visual editor, and then you can verify it with JSON.

  1. Open the role: IAM → Roles → beetroot-ingest-role
  2. Click Add permissions → Create inline policy
  3. Choose the Visual editor (not JSON)

  1. Select service: DynamoDB

  2. Under Actions:

    • Expand Read and select:
      • GetItem
      • Query
      • Scan

  3. Under Resources:

    • Choose Specific
    • In Table, click Add ARN

  4. In the Add ARN popup, add these 3 table ARNs (same region: us-east-1): Persons table

    • Table name: Persons
    • Table ARN: arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Persons

    Occurrences table

    • Table name: Occurrences
    • Table ARN: arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Occurrences

    Photos table

    • Table name: Photos
    • Table ARN: arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Photos

    Where do I get <ACCOUNT_ID>?

    Run aws sts get-caller-identity and copy the Account value or copy it from top-right corner of console.

Save the inline policy

  1. Click Next
  2. Policy name: BeetrootAPIPolicy
  3. Click Create policy

Full Policy JSON

You can verify your policy configuration by switching to the JSON editor and comparing it against the policy document below. Alternatively, paste the following JSON directly to attach all required permissions at once.

Replace bucket names if yours differ.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DynamoReadForApi",
      "Effect": "Allow",
      "Action": ["dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan"],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Persons",
        "arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Occurrences",
        "arn:aws:dynamodb:us-east-1:<ACCOUNT_ID>:table/Photos"
      ]
    }
  ]
}

Checkpoint

In the role's Permissions tab, you should see:

  • AWSLambdaBasicExecutionRole
  • BeetrootAPIPolicy

People Clusters in DynamoDB

Write Persons + Occurrences records to list people and fetch all photos where a person appears.

API Lambda (Persons + Photos)

Create a small HTTP Lambda that returns People grid + Person detail data for the beetroot React app.

On this page

Goal
Create the IAM role
Add logging permissions
Create the permissions policy
Save the inline policy
Full Policy JSON
Checkpoint