I'm trying to invoke a lambda function from node.
var aws = require('aws-sdk'); var lambda = new aws.Lambda({ accessKeyId: 'id', secretAccessKey: 'key', region: 'us-west-2' }); lambda.invoke({ FunctionName: 'test1', Payload: JSON.stringify({ key1: 'Arjun', key2: 'kom', key3: 'ath' }) }, function(err, data) { if (err) console.log(err, err.stack); else console.log(data); });
The keys are for an IAM user. The user has AWSLambdaExecute
and AWSLambdaBasicExecutionRole
policies attached.
I get a permission error: AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1
I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?
The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function. You need to give your IAM user the lambda:InvokeFunction permission: Find your User in the IAM Management Console and click it.
The lambda:FunctionArn condition lets you restrict which functions a user can configure an event source to invoke. For these actions, the resource is the event source mapping, so Lambda provides a condition that lets you restrict permission based on the function that the event source mapping invokes.
Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions. Scroll down to Resource-based policy and then choose View policy document.
Invocation errors can be caused by issues with request parameters, event structure, function settings, user permissions, resource permissions, or limits. If you invoke your function directly, you see any invocation errors in the response from Lambda.
The AWSLambdaExecute
and AWSLambdaBasicExecutionRole
do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.
The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.
You need to give your IAM user the lambda:InvokeFunction
permission:
Sample policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1464440182000", "Effect": "Allow", "Action": [ "lambda:InvokeAsync", "lambda:InvokeFunction" ], "Resource": [ "*" ] } ] }
In this policy, I have included both methods to invoke lambda methods.
Update:
There is now also an IAM Managed Policy named AWSLambdaRole
that you can assign to your IAM user or IAM role. This should give you the permissions you need.
I'm using Serverless framework, and I had to also add arn:aws:lambda
as a resource in my serverless.yml in order to use lambda.invoke
.
iamRoleStatements: - Effect: Allow Action: - dynamodb:DescribeTable - dynamodb:Query - dynamodb:Scan - dynamodb:GetItem - dynamodb:PutItem - dynamodb:UpdateItem - dynamodb:DeleteItem - lambda:InvokeFunction # Added this like mentioned above Resource: - arn:aws:dynamodb:us-east-1:*:* - arn:aws:lambda:us-east-1:*:* # Had to add this too
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With