I am working on an access policy for one of my user roles that I am using to run a Lambda function. I have this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
I understand that setting my resources to *
is not best practice but I'm just trying to get it working before I narrow in on the most locked down version of it.
When I test my lambda function it says this:
ClientError: An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:sts::{NUMBERS}:assumed-role/{ROLE_NAME}/awslambda_{NUMBERS}_{NUMBERS} is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:{NUMBERS}:function:{FUNCTION_NAME}
I've obviously obscured some of it above with the curly braces and words but the ROLE_NAME above matches the role name that I'm editing the policy for. I'm not sure why it would fail. I've tried as the resource something like on of these:
arn:aws:lambda:*:*:*:*
arn:aws:lambda:*:*:*
Those don't work. So I've tried very broad, I've tried to narrow in on it and nothing is working. Is there something else I have to do to get those to stick? I have the IAM policy window open on one screen and lambda on the other so I'm testing right after I update the policy but I've also completely logged out and logged back in to see if there was something with that. That didn't fix it.
Any ideas?
Create an event source mapping to tell Lambda to send records from your data stream to a Lambda function. You can create multiple event source mappings to process the same data with multiple Lambda functions, or to process items from multiple data streams with a single function.
The default concurrency limit per AWS Region is 1,000 invocations at any given time. The default burst concurrency quota per Region is between 500 and 3,000, which varies per Region. There is no maximum concurrency limit for Lambda functions.
There are many reasons why a function might time out, but the most likely is that it was waiting on an IO operation to complete. Maybe it was waiting on another service (such as DynamoDB or Stripe) to respond. Within a Lambda invocation, the function might perform multiple IO operations.
The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function. You need to give your IAM user the lambda:InvokeFunction permission: Find your User in the IAM Management Console and click it.
I did this a while back. It's from my notes. Of course the account check is still there.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["lambda:InvokeFunction"],
"Effect": "Allow",
"Resource": "arn:aws:lambda:*:*:*"
}
]
}
You can also try the IAM Policy Simulator page in AWS console. You can pick and choose actions and resources and see if it goes through. The explanation sometimes is kludgy at first glance, but it's helpful.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With