AWS Lambda not authorised to perform action listed in permissions - McMap

About

AWS Lambda not authorised to perform action listed in permissions

Asked 10/4, 2020 at 13:47 Answered 10/4, 2020 at 14:45

Solved amazon-web-services aws-lambda permissions amazon-iam amazon-cloudwatch-events

E

1

8

I have a very simple AWS Lambda function - just listing all my CloudWatch events:

import boto3

def lambda_handler(event, context):
    client = boto3.client("events")
    return client.list_rules()

However, when I try to run it (with an empty test event: {}), I am getting the following permissions exception:

An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName 
is not authorized to perform: events:ListRules 
on resource: arn:aws:events:eu-west-1:123321123321:rule/*

I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):

{
  "document": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "BasicCloudWatchEventsManager",
        "Effect": "Allow",
        "Action": [
          "events:DescribeRule",
          "events:EnableRule",
          "events:PutRule",
          "events:ListRules",
          "events:DisableRule"
        ],
        "Resource": "arn:aws:events:*:*:rule/[*/]*"
      }
    ]
  },
  "name": "BasicCloudWatchEventsManager",
  "id": "SOME7LONG7ID",
  "type": "managed",
  "arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}

I've build the policy using the visual editor they provide, just changed the sid manually.

Any clues what might be missing?

Endogen answered 10/4, 2020 at 13:47 Comment(4)

Could be an SCP (if you're in an environment that uses AWS Organizations) or a permission boundary kicking in. Did you try policysim.aws.amazon.com to verify? – Propylene 10/4, 2020 at 14:3

@MichaelHausenblas I run this on my own account, from the AWS interface - no policy boundaries set. Didn't know of policysim, but tried it now - denied Implicitly denied (no matching statements). – Endogen 10/4, 2020 at 14:33

Gotcha. When using the policy simulator, did you provide your resource ARN? – Propylene 10/4, 2020 at 14:46

@MichaelHausenblas I didn't want to provide a specific ARN, because I want to list all my rules, even the ones I plan to create in the future. But when I tried with a specific arn, or changing to "Resource": "*" it worked - this has lead me to the answer I posted. Thanks for your help! The policysim was a great tip. – Endogen 10/4, 2020 at 14:50

E

16

After a lot of frustration, I figured it out. In the visual policy editor, selecting the resource as any rule, adding and ARN and selecting "any" for all options will create add this line in the policy:

"Resource": "arn:aws:events:*:*:rule/[*/]*"

What this is meant to stand for is:

an events resource
in any (*) region
on any account
in any event bus, if the rule belongs to one (this is the [*/] part)
with any name

However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:

"Resource": "arn:aws:events:*:*:rule/*"

With this it works without issues.

Endogen answered 10/4, 2020 at 14:45 Comment(3)

Good catch! - saved me a lot of grief – Bobbyebobbysocks 25/11, 2020 at 12:30

I tried with "Resource": "*" and it worked as well. – Scalariform 6/6, 2021 at 20:8

it's no longer possible to set it to "arn:aws:events:*:*:rule/*" for it gets auto corrected to remove the last "*" – Sadyesaechao 14/10, 2021 at 10:33

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.