AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

amazon-web-services aws-lambda amazon-iam
Arjun Komath picture Arjun Komath · May 28, 2016 · Viewed 87.8k times · Source

I'm trying to invoke a lambda function from node.

var aws = require('aws-sdk');
var lambda = new aws.Lambda({
    accessKeyId: 'id',
    secretAccessKey: 'key',
    region: 'us-west-2'
});

lambda.invoke({
    FunctionName: 'test1',
    Payload: JSON.stringify({
        key1: 'Arjun',
        key2: 'kom',
        key3: 'ath'
    })
}, function(err, data) {
    if (err) console.log(err, err.stack);
    else     console.log(data);
});

The keys are for an IAM user. The user has AWSLambdaExecute and AWSLambdaBasicExecutionRole policies attached.

I get a permission error: AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1

I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?

Thanks.

Answer

Matt Houser picture Matt Houser · May 28, 2016

The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.

You need to give your IAM user the lambda:InvokeFunction permission:

  1. Find your User in the IAM Management Console and click it.
  2. On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
  3. Select a "Custom Policy".
  4. Give your policy a name. It can be anything.
  5. Put this policy in the Policy Document field.

Sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464440182000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

In this policy, I have included both methods to invoke lambda methods.

Update:

There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.

Related questions

aws lambda function getting access denied when getObject from s3

I am getting an acccess denied error from S3 AWS service on my Lambda function. This is the code: // dependencies var async = require('async'); var AWS = require('aws-sdk'); var gm = require('gm').subClass({ imageMagick: true }); // Enable ImageMagick integration. exports.handler = …

Read More
can AWS Lambda connect to RDS mySQL database and update the database?

I am trying to connect AWS Lambda function to RDS mysql database. I just wanted to update the database from my lambda function. Is it possible to access RDS by specifiying IAM Role and access Policy?. I can connect to …

Read More
Access Denied using boto3 through aws Lambda

I use the data processing pipeline constructed of S3 + SNS + Lambda becasue S3 can not send notificaiton out of its storage region so I made use of SNS to send S3 notification to Lambda in other region. The lambda function …

Read More