Reputation: 2852
AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction
I'm trying to invoke a lambda function from node.
var aws = require('aws-sdk');
var lambda = new aws.Lambda({
accessKeyId: 'id',
secretAccessKey: 'key',
region: 'us-west-2'
});
lambda.invoke({
FunctionName: 'test1',
Payload: JSON.stringify({
key1: 'Arjun',
key2: 'kom',
key3: 'ath'
})
}, function(err, data) {
if (err) console.log(err, err.stack);
else console.log(data);
});
The keys are for an IAM user. The user has AWSLambdaExecute and AWSLambdaBasicExecutionRole policies attached.
I get a permission error:
AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1
I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?
Upvotes: 131
Views: 215743
Answers (11)
Reputation: 16495
2024 updated
If your error was about a role, not a user:
User: arn:aws:sts::123456789:assumed-role/acme-role-fda27de8/acme is not authorized to perform:
lambda:InvokeFunction on resource:
arn:aws:lambda:us-east-1:123456789:function:acme-function because
no identity-based policy allows the lambda:InvokeFunction action
You will have this information
- role: acme-role-fda27de8
- automatically created for some automated process like terraform, another aws service, jenkins, you using the ui, etc
- resource or your function name: arn:aws:lambda:us-east-1:123456789:function:acme-function
The following steps if for the specified scenario but I think it could work for a proper user instead role.
Step 1
Go to iam
Search the role and click on it
Step 2
Create an inline policy
Add the resource name
Click on next , set a name and click on create policy
Step 3
Validate that the new policy was created
Upvotes: 0
Reputation: 1178
For running lambda functions from CloudWatch alarm: you should add resouce-based policy in your lambda configuration and the principal should be lambda.alarms.cloudwatch.amazonaws.com.
These principals didn't work for me:
cloudwatch.amazonaws.comlogs.amazonaws.com
Upvotes: 0
Reputation: 185
For SAM templates, make sure you have added the lambda resource to your AppSync resource:
AppSyncApiServicePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: AppSyncLambdaInvokePolicy
Roles:
- !Ref AppSyncApiServiceRole
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: lambda:InvokeFunction
Resource:
- !GetAtt GetMessages.Arn // added lambda resource
- !GetAtt SendMessage.Arn // added lambda resource
Upvotes: 0
Reputation: 36043
UPDATE (TL;DR)
There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.
Original Answer
The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.
The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.
You need to give your IAM user the lambda:InvokeFunction permission:
- Find your User in the IAM Management Console and click it.
- On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
- Select a "Custom Policy".
- Give your policy a name. It can be anything.
- Put this policy in the Policy Document field.
Sample policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
In this policy, I have included both methods to invoke lambda methods.
Upvotes: 179
Reputation: 15204
If you want to allow one lambda function to invoke another one you should update policies of your lambda role.
This is a Terraform example:
Set Up the IAM Roles and Policies:
resource "aws_iam_role" "lambda_1_role" {
name = "Lambda_1_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
Add IAM Policy:
resource "aws_iam_policy" "iam_policy_for_lambda_1" {
name = "aws_iam_policy_for_terraform_aws_lambda_1_role"
path = "/"
description = "AWS IAM Policy for managing aws lambda 1 role"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
EOF
}
Don't forget to specify your Resource. Don't use the wildcard for production.
Attach IAM Policy to IAM Role:
resource "aws_iam_role_policy_attachment" "attach_iam_policy_to_iam_role_lambda_1" {
role = aws_iam_role.lambda_1_role.name
policy_arn = aws_iam_policy.iam_policy_for_lambda_1.arn
}
Create a lambda:
resource "aws_lambda_function" "lambda_1" {
function_name = "Lambda_1"
filename = "../lambda-1.zip"
role = aws_iam_role.lambda_1_role.arn
handler = "index.handler"
runtime = "nodejs16.x"
depends_on = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role_lambda_1]
}
Upvotes: 1
Reputation: 2263
Go to IAM, select the user and click on "add permissions". In the list of permission , you can simply search with all those policies with lambda,and check the ones you want in order to execute the lambda from console.
Upvotes: 7
Reputation: 5530
This solution worked for me:
Attaching AWSKeyManagementServicePowerUser policy from the policy list (without that I got an error on "iam:listRole")
Adding lambda:ListFunctions to the custom policy defined by @Matt Houser
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
Upvotes: 11
Reputation: 221
I'm using Serverless framework, and I had to also add arn:aws:lambda as a resource in my serverless.yml in order to use lambda.invoke.
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- lambda:InvokeFunction # Added this like mentioned above
Resource:
- arn:aws:dynamodb:us-east-1:*:*
- arn:aws:lambda:us-east-1:*:* # Had to add this too
Upvotes: 22
Reputation: 3903
This worked for me:
{
"Sid": "PermissionToInvoke",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:*:*:*:*"
}
Upvotes: 3
Reputation: 83
If you just use the policies that AWS provides you have to give to the user or the group it belongs
Upvotes: 4
Reputation: 984
I solved this by adding the AWSLambdaFullAccess permissions to the user.
- Within IAM Users, click add permissions
- Select "Attach existing policies directly"
- Search for
AWSLambdaFullAccess, select it and clicknext:reviewat the bottom of the page. - Click
Add Permissions
And that should do it.
Upvotes: 3
Related Questions
- How to list npm user-installed packages?
- How to allow IAM user to access lambda function in another account?
- How to invoke AWS Lambda function in account B (this Lambda in VPC) from Lambda in account A (Lambda in VPC)
- Can we trigger AWS Lambda function from aws Glue PySpark job?
- Reference function from within serverless.yml
- In 2018, what is the correct way to allow invocation of a single lambda function?