Getting "UnknownError: Forbidden: DynamoDB" on migrate

[nicodh]

running sls dynamodb start
with a configuration as shown below(migrate: true and a configured Table resource)
shows error "UnknownError: Forbidden: DynamoDB - Error -"
and does not migrate the table.
With migrate: false there is no error

Expected Behaviour

should create the configured tables if migrate: true is configured

Steps to reproduce it
This is the relevant part of the serverless.yaml:

provider:
  name: aws
  runtime: nodejs12.x
  region: eu-central-1
  stage: 'offline'
  custom:
    serverless-offline:
      port: 2110
      stage: offline
    dynamodb:
      start:
        port: 8000
        inMemory: true
        migrate: true
      stages:
        - offline
 plugins:
  - serverless-dynamodb-local
  - serverless-offline
 resources:
  Resources:
    DevicesTable:
      Type: 'AWS::DynamoDB::Table'
      DeletionPolicy: Retain
      Properties:
        AttributeDefinitions:
          - AttributeName: userId
            AttributeType: S
          - AttributeName: created
            AttributeType: N
        KeySchema:
          - AttributeName: userId
            KeyType: HASH
          - AttributeName: created
            KeyType: RANGE
        ProvisionedThroughput:
          ReadCapacityUnits: 1
          WriteCapacityUnits: 1
        TableName: 'MyTable'

LogCat for the issue

Serverless: Running "serverless" installed locally (in service node_modules)
Dynamodb Local Started, Visit: http://localhost:8000/shell

UnknownError: Forbidden: DynamoDB - Error -

  Unknown Error ------------------------------------------

  UnknownError: Forbidden
      at Request.extractError (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\protocol\json.js:52:27)
      at Request.callListeners (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:106:20)
      at Request.emit (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:78:10)
      at Request.emit (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:690:14)
      at Request.transition (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:22:10)
      at AcceptorStateMachine.runTo (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\state_machine.js:14:12)
 at Request.<anonymous> (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:38:9)
      at Request.<anonymous> (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\request.js:692:12)
      at Request.callListeners (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:116:18)
      at callNextListener (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\sequential_executor.js:96:12)
      at IncomingMessage.onEnd (C:\Users\me\projects\assethub\device-backend\node_modules\aws-sdk\lib\event_listeners.js:313:13)
      at IncomingMessage.emit (events.js:215:7)
      at IncomingMessage.EventEmitter.emit (domain.js:476:20)
      at endReadableNT (_stream_readable.js:1183:12)
      at processTicksAndRejections (internal/process/task_queues.js:80:21)

I also logged the constructor arguments for the last request before the failure (service, operation and params)

Service: Service {
  config: Config {
    credentials: Credentials {
      expired: false,
      expireTime: null,
      refreshCallbacks: [],
      accessKeyId: 'MOCK_ACCESS_KEY_ID',
      sessionToken: undefined
    },
    credentialProvider: CredentialProviderChain {
      providers: [Array],
      resolveCallbacks: []
    },
    region: 'localhost',
    logger: null,
    apiVersions: {},
    apiVersion: null,
    endpoint: 'http://localhost:8000',
    httpOptions: { timeout: 120000, agent: [HttpsProxyAgent] },
    maxRetries: undefined,
    maxRedirects: 10,
    paramValidation: true,
    sslEnabled: true,
    s3ForcePathStyle: false,
    s3BucketEndpoint: false,
    s3DisableBodySigning: true,
    s3UsEast1RegionalEndpoint: 'legacy',
    s3UseArnRegion: undefined,
    computeChecksums: true,
    convertResponseTypes: true,
    correctClockSkew: false,
    customUserAgent: null,
    dynamoDbCrc32: true,
    systemClockOffset: 0,
    signatureVersion: null,
    signatureCache: true,
    retryDelayOptions: {},
    useAccelerateEndpoint: false,
    clientSideMonitoring: false,
    endpointDiscoveryEnabled: undefined,
    endpointCacheSize: 1000,
    hostPrefixEnabled: true,
    stsRegionalEndpoints: 'legacy',
    accessKeyId: 'MOCK_ACCESS_KEY_ID',
    secretAccessKey: 'MOCK_SECRET_ACCESS_KEY',
    convertEmptyValues: false
  },
  endpoint: Endpoint {
    protocol: 'http:',
    host: 'localhost:8000',
    port: 8000,
    hostname: 'localhost',
    pathname: '/',
    path: '/',
    href: 'http://localhost:8000/'
  },
  _events: {
    apiCallAttempt: [ [Function: EVENTS_BUBBLE] ],
    apiCall: [ [Function: CALL_EVENTS_BUBBLE] ]
  },
  MONITOR_EVENTS_BUBBLE: [Function: EVENTS_BUBBLE],
  CALL_EVENTS_BUBBLE: [Function: CALL_EVENTS_BUBBLE],
  _clientId: 1
}
operation: createTable
params: {
  AttributeDefinitions: [
    { AttributeName: 'userId', AttributeType: 'S' },
    { AttributeName: 'created', AttributeType: 'N' }
  ],
  KeySchema: [
    { AttributeName: 'userId', KeyType: 'HASH' },
    { AttributeName: 'created', KeyType: 'RANGE' }
  ],
  ProvisionedThroughput: { ReadCapacityUnits: 1, WriteCapacityUnits: 1 },
  TableName: 'MyTable'
}

I'm on Windows 10 and used gitbash.

 Your Environment Information ---------------------------
     Operating System:          win32
     Node Version:              12.13.0
     Framework Version:         2.19.0
     Plugin Version:            4.4.2
     SDK Version:               2.3.2
     Components Version:        3.4.7

The default credentials in my .aws/credentials file are valid:

aws dynamodb list-tables --no-verify-ssl

shows the table in my AWS account

I use the same credentials to deploy the whole application with serverless (which creates also the dynamodb tables)

If I use the params from the debug log above in localhost:8000/shell to create the table it works with no error and the table is created.

I am behind a proxy but as mentioned aws cli works fine (but needs --no-verify-ssl )

If any more information is needed I'm willing to provide it!
Any hint how to debug the error is welcome too!

[nicodh]

Additional information: the same code with the same credentials works fine on Linux.
If I create a table in the Javascript Shell http://localhost:8000/shell I can see the table by running

aws dynamodb list-tables --endpoint http://localhost:8000

On Windows I can see the created table in the shell when running dynamodb.listTables but not in the aws cli:

aws dynamodb list-tables --endpoint http://localhost:8000

so somehow both connect to a different context...??

[mattdodge]

It's been almost 2 years so I assume you solved this, but maybe helpful for someone else. I was encountering the same error, started getting Forbidden all of the sudden on code that used to work. Turns out I had another, totally unrelated, application running on port 8000 on my system. Launching the local dynamodb docker container didn't holler about the port collision so it wasn't obvious at first.