Reputation: 42644
Why can't I put wildcard to invoke a lambda function in IAM policy?
I need to invoke a lambda (lambdaB) from another lambda (lambdaA). In lambdaA's IAM policy, I have below configuration:
{
"Action": [
"lambda:invokeFunction"
],
"Resource": [
"arn:aws:lambda:ap-southeast-2:264100014405:function:handler:*"
],
"Effect": "Allow"
}
It doesn't work and I got below error in lambdaA:
lambdaA is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-southeast-2:264100014405:handler because no identity-based policy allows the lambda:InvokeFunction action.
But if I remove the wildcard from the resource:
"Resource": [
"arn:aws:lambda:ap-southeast-2:264100014405:function:handler"
],
it works fine.
lambdaA calls aws-sdk to invoke the lambda with the lambda name which is handler.
The reason I put a wildcard is that I'd like to grant lambdaA permission to invoke all alias on lambdaB in the future. What is the right IAM policy I should set in lambdaA's role?
Upvotes: 1
Views: 4235
Answers (2)
Reputation: 104
You need to add the wild card to lambdaName without the colon. like this:
arn:aws:lambda:ap-southeast-2:264100014405:function:handler*
It will give permissions to invoke handler's all versions/aliases.
Upvotes: 1
Reputation: 7448
You have a slight misunderstanding on the ARN for AWS Lambda functions. Change the ARN in your IAM policy to:
arn:aws:lambda:ap-southeast-2:264100014405:function:YOUR_FUNCTION_NAME
You can find YOUR_FUNCTION_NAME in the AWS console or use the aws-cli and call aws lambda list-functions.
Explanation
An ARN for a Lambda function consists of:
arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
When using an alias or version, you can append those:
arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME:ALIASarn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME:VERSION
You can read more in the Lambda documentation
The handler for a Lambda function is a configuration variable as far as Lambda is concerned. It does not play a role in Arns. If you use the aws-cli to perform a aws lambda list-functions command, you would see the handler as a separate propery from the ARN. For example, for each function:
{
"FunctionName": "stack-overflow-func",
"FunctionArn": "arn:aws:lambda:us-west-2:111111111111:function:stack-overflow-func",
"Runtime": "python3.9",
"Role": "arn:aws:iam::111111111111:role/role-name-3IJQ",
"Handler": "handler.lambda_handler",
...
}
Upvotes: 1
Related Questions
- Using aws:ResourceTag in conditions on an IAM policy for lambda functions does not work
- Variable in AWS IAM role to grant permissions to Lambda function
- AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"
- AWS CDK: Lambda resource based policy for a function with an alias
- Giving access to AWS Lambda service with limited policy
- How apply caller IAM policy to lambda function execution?
- Policy to allow lambda:InvokeFunction to an IAM Assumed Role
- How to wildcard aws lambda function permission in resource
- In 2018, what is the correct way to allow invocation of a single lambda function?
- Why does the AWS cli reject my IAM ARN for not matching the regex/pattern?