AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

Asked 28/5, 2016 at 10:53 Answered 5/4, 2024 at 13:24

Solved node.js amazon-web-services aws-lambda amazon-iam

127

I'm trying to invoke a lambda function from node.

var aws = require('aws-sdk');
var lambda = new aws.Lambda({
    accessKeyId: 'id',
    secretAccessKey: 'key',
    region: 'us-west-2'
});

lambda.invoke({
    FunctionName: 'test1',
    Payload: JSON.stringify({
        key1: 'Arjun',
        key2: 'kom',
        key3: 'ath'
    })
}, function(err, data) {
    if (err) console.log(err, err.stack);
    else     console.log(data);
});

The keys are for an IAM user. The user has AWSLambdaExecute and AWSLambdaBasicExecutionRole policies attached.

I get a permission error: AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1

I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?

Kirkwood answered 28/5, 2016 at 10:53 Comment(1)

I heartily wish there were an aws cli or web interface to fix this. aws add-access "AccessDeniedException: User: ARN... is not authorized to perform: ACTION on resource: ARN..." maybe prompt you with a couple of description questions and add the access roles. – Sinistral 15/11, 2017 at 0:7

174

UPDATE (TL;DR)

There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.

Original Answer

The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.

You need to give your IAM user the lambda:InvokeFunction permission:

Find your User in the IAM Management Console and click it.
On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
Select a "Custom Policy".
Give your policy a name. It can be anything.
Put this policy in the Policy Document field.

Sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464440182000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

In this policy, I have included both methods to invoke lambda methods.

Feudalism answered 28/5, 2016 at 12:52 Comment(10)

This did not work for me, I had to use "lambda:*". In other words had to hit it with a big hammer! – Penult 30/6, 2016 at 1:45

For what you are doing, there's no need to create a custom policy. You can add AWSLambdaRole as a managed policy on the user profile and that's it. – Frederiksen 18/8, 2016 at 9:51

I tried both adding custom policy and attaching "AWSLambdaRole", but I am still getting the AccessDeniedException: <USER> is not authorized to perform: lambda:InvokeFunction – Weise 8/11, 2016 at 13:13

@lusocoding that worked for me, let me know if you post it as an answer of its own ;) – Elephantine 8/8, 2017 at 9:37

Works for me but it took some minutes to an hour before the changes took effect – Uniocular 16/1, 2020 at 1:13

AWSLambdaRole didn't work for me, i needed to create the inline policy with lambda:InvokeAsync, since i have event function types – Bedtime 20/5, 2020 at 15:45

the Action "lambda:InvokeAsync" is deprecated, you just need the "lambda:InvokeFunction" – Camel 12/6, 2020 at 0:19

Adding AWSLambdaRole worked for me, but it took a few minutes to wait for it to work – Ellswerth 24/4, 2021 at 21:14

This is the perfect example of Amazon's trash UI. Or, to put it more clearly, why don't they just SAY this?! – Bensky 14/1, 2023 at 20:49

WARNING: Using "Resource": "*" has given me a ton of trouble. better to use "arn:aws:lambda:*:*:*" instead – Sulphathiazole 10/2, 2023 at 20:14

I'm using Serverless framework, and I had to also add arn:aws:lambda as a resource in my serverless.yml in order to use lambda.invoke.

 iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - lambda:InvokeFunction # Added this like mentioned above
      Resource:
        - arn:aws:dynamodb:us-east-1:*:*
        - arn:aws:lambda:us-east-1:*:* # Had to add this too

Azure answered 16/10, 2018 at 3:11 Comment(3)

This solved the issue for me (none of the other answers worked for me). – Neophyte 16/3, 2020 at 17:25

Thanks, this is what I was looking for. Just a note that this config should be put under the "provider" section, forum.serverless.com/t/… – Champlain 23/8, 2021 at 12:23

Not necessarily, it can be declared under the function yml definition as well in iamRoleStatements – Spindly 22/3, 2022 at 19:53

This solution worked for me:

Attaching AWSKeyManagementServicePowerUser policy from the policy list (without that I got an error on "iam:listRole")
Adding lambda:ListFunctions to the custom policy defined by @Matt Houser

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464440182000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Scoria answered 19/7, 2017 at 13:2 Comment(0)

Go to IAM, select the user and click on "add permissions". In the list of permission , you can simply search with all those policies with lambda,and check the ones you want in order to execute the lambda from console.

River answered 22/5, 2018 at 3:18 Comment(0)

If you just use the policies that AWS provides you have to give to the user or the group it belongs

Tomasine answered 19/9, 2018 at 14:18 Comment(1)

Adding` AWSCodeDeploy` worked form me when calling Lambda from iOS. – Becht 21/10, 2018 at 9:56

I solved this by adding the AWSLambdaFullAccess permissions to the user.

Within IAM Users, click add permissions
Select "Attach existing policies directly"
Search for AWSLambdaFullAccess, select it and click next:review at the bottom of the page.
Click Add Permissions

And that should do it.

Batha answered 20/3, 2018 at 17:40 Comment(3)

I had to add "AWSCodeDeployRoleForLambda" – Hildegardhildegarde 27/3, 2018 at 22:52

Agree with @KeithNorman, AWSLambdaFullAccess alone didn't do it for me. – Mabe 13/5, 2019 at 3:20

note AWSLambdaFullAccess & AWSLambdaReadOnlyAccess are now deprecated. See here: docs.aws.amazon.com/lambda/latest/dg/… – Hickson 29/3, 2021 at 16:41

This worked for me:

{
    "Sid": "PermissionToInvoke",
    "Effect": "Allow",
    "Action": [
      "lambda:InvokeFunction"
    ],
    "Resource": "arn:aws:lambda:*:*:*:*"
}

Saccharose answered 14/7, 2020 at 19:31 Comment(2)

What is it about the Sid? Is this arbitrary? – Sumter 7/9, 2021 at 8:55

@Sumter You put a unique name in the Sid for identification of that permission from others – Saccharose 7/9, 2021 at 8:57

If you want to allow one lambda function to invoke another one you should update policies of your lambda role.

This is a Terraform example:

Set Up the IAM Roles and Policies:

resource "aws_iam_role" "lambda_1_role" {
    name   = "Lambda_1_Role"
    assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

Add IAM Policy:

resource "aws_iam_policy" "iam_policy_for_lambda_1" {
    name         = "aws_iam_policy_for_terraform_aws_lambda_1_role"
    path         = "/"
    description  = "AWS IAM Policy for managing aws lambda 1 role"
    policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*",
        "Effect": "Allow"
    },
    {
        "Sid": "Stmt1464440182000",
        "Effect": "Allow",
        "Action": [
            "lambda:InvokeAsync",
            "lambda:InvokeFunction"
        ],
        "Resource": [
            "*" 
        ]
    }
    ]
}
EOF
}

Don't forget to specify your Resource. Don't use the wildcard for production.

Attach IAM Policy to IAM Role:

resource "aws_iam_role_policy_attachment" "attach_iam_policy_to_iam_role_lambda_1" {
    role        = aws_iam_role.lambda_1_role.name
    policy_arn  = aws_iam_policy.iam_policy_for_lambda_1.arn
}

Create a lambda:

resource "aws_lambda_function" "lambda_1" {
    function_name  = "Lambda_1"
    filename       = "../lambda-1.zip"
    role           = aws_iam_role.lambda_1_role.arn
    handler        = "index.handler"
    runtime        = "nodejs16.x"
    depends_on     = [aws_iam_role_policy_attachment.attach_iam_policy_to_iam_role_lambda_1]
}

Whyalla answered 16/2, 2023 at 5:49 Comment(0)

For SAM templates, make sure you have added the lambda resource to your AppSync resource:

AppSyncApiServicePolicy:
Type: AWS::IAM::Policy
Properties:
  PolicyName: AppSyncLambdaInvokePolicy
  Roles:
    - !Ref AppSyncApiServiceRole
  PolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Action: lambda:InvokeFunction
        Resource:
          - !GetAtt GetMessages.Arn // added lambda resource
          - !GetAtt SendMessage.Arn // added lambda resource

Spatial answered 9/5, 2023 at 21:37 Comment(0)

For running lambda functions from CloudWatch alarm: you should add resouce-based policy in your lambda configuration and the principal should be lambda.alarms.cloudwatch.amazonaws.com. These principals didn't work for me:

cloudwatch.amazonaws.com
logs.amazonaws.com

Besprent answered 14/2, 2024 at 14:51 Comment(0)

2024 updated

If your error was about a role, not a user:

User: arn:aws:sts::123456789:assumed-role/acme-role-fda27de8/acme is not authorized to perform: 
lambda:InvokeFunction on resource:
arn:aws:lambda:us-east-1:123456789:function:acme-function because 
no identity-based policy allows the lambda:InvokeFunction action

You will have this information

role: acme-role-fda27de8
- automatically created for some automated process like terraform, another aws service, jenkins, you using the ui, etc
resource or your function name: arn:aws:lambda:us-east-1:123456789:function:acme-function

The following steps if for the specified scenario but I think it could work for a proper user instead role.