Menu
I have a very simple AWS Lambda function - just listing all my CloudWatch events:
import boto3
def lambda_handler(event, context):
client = boto3.client("events")
return client.list_rules()
However, when I try to run it (with an empty test event: {}), I am getting the following permissions exception:
An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName
is not authorized to perform: events:ListRules
on resource: arn:aws:events:eu-west-1:123321123321:rule/*
I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BasicCloudWatchEventsManager",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:ListRules",
"events:DisableRule"
],
"Resource": "arn:aws:events:*:*:rule/[*/]*"
}
]
},
"name": "BasicCloudWatchEventsManager",
"id": "SOME7LONG7ID",
"type": "managed",
"arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}
I've build the policy using the visual editor they provide, just changed the sid manually.
Any clues what might be missing?
457
If you receive an error that you're not authorized to perform the iam:PassRole action, then you must contact your administrator for assistance. Your administrator is the person that provided you with your user name and password. Ask that person to update your policies to allow you to pass a role to Lambda.
Open the Functions page of the Lambda console. Choose a function. Choose Configuration and then choose Permissions. Scroll down to Resource-based policy and then choose View policy document.
Open the Functions page of the Lambda console. Choose the name of a function. Choose Configuration, and then choose Permissions. Under Resource summary, review the services and resources that the function can access.
Lambda function invocation permissions Important: For Lambda function's that are invoked by AWS Cloud services that push event sources to the function, invocation permissions are required. Lambda invocation permissions are given in the form of a specific API action identifier: lambda:InvokeFunction.
After a lot of frustration, I figured it out.
In the visual policy editor, selecting the resource as any rule, adding and ARN and selecting "any" for all options will create add this line in the policy:
"Resource": "arn:aws:events:*:*:rule/[*/]*"
What this is meant to stand for is:
*) region[*/] part)However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:
"Resource": "arn:aws:events:*:*:rule/*"
With this it works without issues.
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With