88

I'm trying to invoke a lambda function from node.

var aws = require('aws-sdk');
var lambda = new aws.Lambda({
    accessKeyId: 'id',
    secretAccessKey: 'key',
    region: 'us-west-2'
});

lambda.invoke({
    FunctionName: 'test1',
    Payload: JSON.stringify({
        key1: 'Arjun',
        key2: 'kom',
        key3: 'ath'
    })
}, function(err, data) {
    if (err) console.log(err, err.stack);
    else     console.log(data);
});

The keys are for an IAM user. The user has AWSLambdaExecute and AWSLambdaBasicExecutionRole policies attached.

I get a permission error: AccessDeniedException: User: arn:aws:iam::1221321312:user/cli is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:1221321312:function:test1

I read the docs and several blogs, but I'm unable to authorise this user to invoke the lambda function. How do get this user to invoke lambda?

Thanks.

Arjun Komath
  • 2,413
  • 3
  • 14
  • 22
  • I heartily wish there were an aws cli or web interface to fix this. aws add-access "AccessDeniedException: User: ARN... is not authorized to perform: ACTION on resource: ARN..." maybe prompt you with a couple of description questions and add the access roles. – kwerle Nov 15 '17 at 00:07

7 Answers7

124

The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.

You need to give your IAM user the lambda:InvokeFunction permission:

  1. Find your User in the IAM Management Console and click it.
  2. On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
  3. Select a "Custom Policy".
  4. Give your policy a name. It can be anything.
  5. Put this policy in the Policy Document field.

Sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464440182000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

In this policy, I have included both methods to invoke lambda methods.

Update:

There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.

Matt Houser
  • 28,384
  • 5
  • 53
  • 70
  • 3
    This did not work for me, I had to use "lambda:*". In other words had to hit it with a big hammer! – Christopher Grigg Jun 30 '16 at 01:45
  • 15
    For what you are doing, there's no need to create a custom policy. You can add AWSLambdaRole as a managed policy on the user profile and that's it. – nunob Aug 18 '16 at 09:51
  • 4
    I tried both adding custom policy and attaching "AWSLambdaRole", but I am still getting the AccessDeniedException: is not authorized to perform: lambda:InvokeFunction – Jim Nov 08 '16 at 13:13
  • @lusocoding that worked for me, let me know if you post it as an answer of its own ;) – guival Aug 08 '17 at 09:37
  • 2
    Works for me but it took some minutes to an hour before the changes took effect – kebbbnnn Jan 16 '20 at 01:13
  • AWSLambdaRole didn't work for me, i needed to create the inline policy with lambda:InvokeAsync, since i have event function types – Matt Fiocca May 20 '20 at 15:45
  • the Action "lambda:InvokeAsync" is deprecated, you just need the "lambda:InvokeFunction" – Jaime Marín Jun 12 '20 at 00:19
  • Adding `AWSLambdaRole` worked for me, but it took a few minutes to wait for it to work – Lafif Astahdziq Apr 24 '21 at 21:14
17

I'm using Serverless framework, and I had to also add arn:aws:lambda as a resource in my serverless.yml in order to use lambda.invoke.

 iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - lambda:InvokeFunction # Added this like mentioned above
      Resource:
        - arn:aws:dynamodb:us-east-1:*:*
        - arn:aws:lambda:us-east-1:*:* # Had to add this too
Stephen Rauch
  • 40,722
  • 30
  • 82
  • 105
Jessica Bee
  • 171
  • 1
  • 2
9

This solution worked for me:

  1. Attaching AWSKeyManagementServicePowerUser policy from the policy list (without that I got an error on "iam:listRole")

  2. Adding lambda:ListFunctions to the custom policy defined by @Matt Houser

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1464440182000", "Effect": "Allow", "Action": [ "lambda:InvokeAsync", "lambda:InvokeFunction", "lambda:ListFunctions" ], "Resource": [ "*" ] } ] }

Ali Nem
  • 4,220
  • 1
  • 38
  • 36
5

go to IAM , select the user and click on add permissions. In the list of permission , you can simply search with all those policies with lambda,and check the ones you want in order to execute the lambda from console. enter AWS IAM permissions

NealeU
  • 1,078
  • 10
  • 20
mykey
  • 875
  • 9
  • 8
4

If you just use the policies that AWS provides you have to give to the user or the group it belongs Policy from AWS

Jherzon Franz Nava Rojas
  • 73
  • 6
2

I solved this by adding the AWSLambdaFullAccess permissions to the user.

  1. Within IAM Users, click add permissions
  2. Select "Attach existing policies directly"
  3. Search for AWSLambdaFullAccess, select it and click next:review at the bottom of the page.
  4. Click Add Permissions

And that should do it.

Enda Molloy
  • 850
  • 7
  • 18
  • 1
    I had to add "AWSCodeDeployRoleForLambda" – Keith Norman Mar 27 '18 at 22:52
  • Agree with @KeithNorman, AWSLambdaFullAccess alone didn't do it for me. – dstudeba May 13 '19 at 03:20
  • 1
    note AWSLambdaFullAccess & AWSLambdaReadOnlyAccess are now deprecated. See here: https://docs.aws.amazon.com/lambda/latest/dg/security_iam_troubleshoot.html#security_iam_troubleshoot-admin-deprecation – mihaa123 Mar 29 '21 at 16:41
0

This worked for me:

{
    "Sid": "PermissionToInvoke",
    "Effect": "Allow",
    "Action": [
      "lambda:InvokeFunction"
    ],
    "Resource": "arn:aws:lambda:*:*:*:*"
}
gildniy
  • 1,604
  • 17
  • 12