stackoom
  简体   繁体   中英

AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"

 原文  2017-06-06 03:47:50       amazon-web-services/ aws-lambda/ amazon-iam

Question

When I have my IAM Policy for my lambda execution role set to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

I get this error:

[AccessDeniedException: User:
arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail
is not authorized to perform: 
lambda:GetFunction on resource:
arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]

However, when I set the policy to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

The error is gone... What else do I need to add?

3 answers

solution1
 9 ACCPTED  2017-06-06 03:53:50

Figured it out. Apparently the SDK uses "lambda:GetFunctionConfiguration" as well. Once I included that it all worked. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

solution2
 2  2017-10-12 07:28:36

For anyone getting this error after the alexa.design/cli tutorial,

ASK_CLI_USER is not authorized to perform: lambda:GetFunction on resource

The issue for me was not "lambda:GetFunctionConfiguration" but instead the Resource line below it due to the "ask-" prefix:

"Resource": "arn:aws:lambda:*:*:function:ask-*"

Changing it to this solved my issue:

"Resource": "arn:aws:lambda:*:*:function:*"

solution3
 0  2022-05-05 07:50:55

Post 2022

The solution is as CamHart said, but there is a twist.

They apparently renamed these permissions. You must now use lambda:InvokeFunction and lambda:InvokeFunctionConfiguration instead of lambda:GetFunction and lambda:GetFunctionConfiguration

Exemple

JSON 

"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "lambda:GetFunction",
      "lambda:GetFunctionConfiguration"
    ],
    "Resource": [
      "*"
    ]
  }
]

YAML 

Statement:
- Effect: Allow
  Action:
  - lambda:InvokeFunction
  - lambda:InvokeFunctionConfiguration
  Resource: '*'

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AccessDeniedException: User: arn:aws:iam::xxxxxxx:root is not authorized to perform: lambda:UpdateFunctionCode AWS boto3 User: arn:aws:iam::xxxx:root is not authorized to perform: lambda:AddLayerVersionPermission on resource How to setup IAM policy for AWS Lambda in VPC to resolve error “You are not authorized to perform: CreateNetworkInterface.” Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: * Not authorized to perform: dynamodb:Scan Lambda Lambda is not authorized to perform: dynamodb:GetItem aws lambda - user is not authorized to perform: cognito-idp:ListUsers on resource User is not authorized to perform lambda function AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole" Run AWS lambda as an IAM user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM