Search code examples

Lambda.InvokeAccessDenied from Kinesis Firehose

I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:

    "Statement": {
        "Action": [
        "Resource": [<Arn>, ...],
        "Effect": "Allow"

I've also granted sts:AssumeRole access to the Lambda role from Firehose.

This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with

  "errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."

and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?


  • Elsewhere in the ProcessingConfiguration for my Firehose, I had supplied a role to execute the lambda which did not have adequate permissions. By removing

    - ParameterName: RoleArn
        Fn::GetAtt: [<Role>, Arn]

    from the ProcessingConfiguration config set, the lambda was able to execute successfully using the appropriate role/policy.