Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

Tags:

node.js

amazon-web-services

aws-lambda

amazon-iam

I'm trying to invoke a lambda function from node.

var aws = require('aws-sdk'); var lambda = new aws.Lambda({     accessKeyId: 'id',     secretAccessKey: 'key',     region: 'us-west-2' });  lambda.invoke({     FunctionName: 'test1',     Payload: JSON.stringify({         key1: 'Arjun',         key2: 'kom',         key3: 'ath'     }) }, function(err, data) {     if (err) console.log(err, err.stack);     else     console.log(data); });

The keys are for an IAM user. The user has AWSLambdaExecute and AWSLambdaBasicExecutionRole policies attached.

I get a permission error: AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1

I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?

like image 406
Arjun Komath Avatar asked May 28 '16 10:05

Arjun Komath

People also ask

Is not authorized to perform Lambda InvokeFunction?

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function. You need to give your IAM user the lambda:InvokeFunction permission: Find your User in the IAM Management Console and click it.

What is Lambda InvokeFunction?

The lambda:FunctionArn condition lets you restrict which functions a user can configure an event source to invoke. For these actions, the resource is the event source mapping, so Lambda provides a condition that lets you restrict permission based on the function that the event source mapping invokes.

How do you add permission to lambda function?

Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions. Scroll down to Resource-based policy and then choose View policy document.

What is Lambda invocation error?

Invocation errors can be caused by issues with request parameters, event structure, function settings, user permissions, resource permissions, or limits. If you invoke your function directly, you see any invocation errors in the response from Lambda.

2 Answers

The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.

You need to give your IAM user the lambda:InvokeFunction permission:

  1. Find your User in the IAM Management Console and click it.
  2. On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
  3. Select a "Custom Policy".
  4. Give your policy a name. It can be anything.
  5. Put this policy in the Policy Document field.

Sample policy:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "Stmt1464440182000",             "Effect": "Allow",             "Action": [                 "lambda:InvokeAsync",                 "lambda:InvokeFunction"             ],             "Resource": [                 "*"             ]         }     ] }

In this policy, I have included both methods to invoke lambda methods.

Update:

There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.

like image 198
Matt Houser Avatar answered Sep 20 '22 19:09

Matt Houser

I'm using Serverless framework, and I had to also add arn:aws:lambda as a resource in my serverless.yml in order to use lambda.invoke.

 iamRoleStatements:     - Effect: Allow       Action:         - dynamodb:DescribeTable         - dynamodb:Query         - dynamodb:Scan         - dynamodb:GetItem         - dynamodb:PutItem         - dynamodb:UpdateItem         - dynamodb:DeleteItem         - lambda:InvokeFunction # Added this like mentioned above       Resource:         - arn:aws:dynamodb:us-east-1:*:*         - arn:aws:lambda:us-east-1:*:* # Had to add this too
like image 28
Jessica Bee Avatar answered Sep 22 '22 19:09

Jessica Bee
Sign in to Comment

Related questions

How do I parse a HTML page with Node.js
Can I install a NPM package from javascript running in Node.js?
How do sessions work in Express.js with Node.js?
How to create an Excel File with Nodejs?
How to redirect user's browser URL to a different page in Nodejs?
Node.js can't create Blobs?
Allow CORS REST request to a Express/Node.js application on Heroku
Managing Sessions in Node.js? [closed]
For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves
Using node-inspector with Grunt tasks
How to destroy JWT Tokens on logout?
How to auto generate migrations with Sequelize CLI from Sequelize models?
Returning data from Axios API
Global Variable in app.js accessible in routes?
'node' is not recognized as an internal or an external command, operable program or batch file while using phonegap/cordova
Mongoose.js: Find user by username LIKE value
How to structure a express.js application?
How to prevent Node.js from exiting while waiting for a callback?
How to use redis PUBLISH/SUBSCRIBE with nodejs to notify clients when data values change?
Use gulp to select and move directories and their files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!