Search code examples
amazon-web-serviceslambdaaws-lambdaamazon-iamaccess-denied

AWS AccessDeniedException for lambda ListFunctions on a IAM user

PRE-NOTE: I perform all of my AWS provisioning via a IAM-user console account that essentially has all of the privileges of the AWS/Amazon account owner. I'll call this IAM-user the root account.

Issue description:

  • From the root account I created the following IAM-user, with programmatic only access: lambda-test
  • I added it's IAM access keys (as a profile entry) in my ~/.aws/* files.
  • Now to that lambda-test account, I next created an Inline/Embedded policy that allows the following AWS-Lamdba operations: ListFunctions, GetFunction, UpdateFunctionCode, UpdateFunctionConfiguration

The policy statement -- which validated correctly -- looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1111111111111",  # <--- Altered for this post.
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:ListFunctions",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": [
                "arn:aws:lambda:*"
            ]
        }
    ]
}

Back at the laptop CLI, I issue the following command, which generates an AccessDeniedException:

user@linux$ aws lambda list-functions --profile lambda-test

Here is the exception:

An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: arn:aws:iam::<AWS-Account-ID>:user/lambda-test is not authorized to perform: lambda:ListFunctions

Did I miss something? (Of course I did. =:)) Thanks in advance!

Solution

  • There are two types of access policies you can use with AWS lambda:

    1) Identity-Based Policies (IAM Policies) The one you are working with is, IAM policy. If you read this AWS lambda access control overview documentation, when you are working with IAM based access, right now AWS only supports * as resource. Because "lambda:ListFunctions" can't be called with full ARN (refer this documentation for which can be called with FULL arn and which can be called with *), you need to give *.

    In the current implementation, Lambda doesn't support identifying specific resources using the resource ARNs (also referred to as resource-level permissions) for some of the API actions, so you must specify a wildcard character (*).

    2) Resource-Based Policies (Lambda Function Policies)

    Each Lambda function can have resource-based permissions policies associated with it. For Lambda, a Lambda function is the primary resource and these policies are referred to as Lambda function policies. You can use a Lambda function policy to grant cross-account permissions as an alternative to using identity-based policies with IAM roles. For example, you can grant Amazon S3 permissions to invoke your Lambda function by simply adding permissions to the Lambda function policy instead of creating an IAM role.

    And more examples are here