How to allow Lambda function to call itself recursively

Question

I've got an app that runs on Lambda and is accessible through APIGateway.

In my SAM template, I've set it up so that APIGateway can invoke my function.

  ConfigLambdaPermission:
    Type: "AWS::Lambda::Permission"
    DependsOn:
    - MyFunction
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref MyFunction
      Principal: apigateway.amazonaws.com

But now I need the app to call its own function recursively. I thought that I could just append a new ConfigLambdaPermission to my existing one like this.

  ConfigLambdaPermission:
    Type: "AWS::Lambda::Permission"
    DependsOn:
    - MyFunction
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref MyFunction
      Principal: apigateway.amazonaws.com
  ConfigLambdaPermission:
    Type: "AWS::Lambda::Permission"
    DependsOn:
    - MyFunction
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref MyFunction
      Principal: lambda.amazonaws.com

However, when the function tries to call itself, it throws the following error:

2019-01-27 14:27:56 - Aws::Lambda::Errors::AccessDeniedException -
User: arn:aws:sts::666666666666:assumed-role/my-app-MyFunction-166U166U166U1/my-app-MyFunction-1DJIJCDO1DJIJ 
is not authorized to perform: lambda:InvokeFunction on resource:
arn:aws:lambda:us-west-2:666666666666:function:my-app-MyFunction-1DJIJCDO1DJIJ:

I'm not sure if I added the privileges incorrectly or whether there some other step I need to do to inform AWS that the privileges have changed.

Any idea how to correctly allow this lambda function to call itself?

Answer 1

The Principal in this case is going to be the IAM role that the Lambda itself runs under, which is as follows (replace aws-account-id and role-name as appropriate):

Principal: arn:aws:iam::aws-account-id:role/role-name