Search code examples
amazon-web-servicesaws-lambdapermissionsamazon-iamamazon-cloudwatch-events

AWS Lambda not authorised to perform action listed in permissions


I have a very simple AWS Lambda function - just listing all my CloudWatch events:

import boto3

def lambda_handler(event, context):
    client = boto3.client("events")
    return client.list_rules()

However, when I try to run it (with an empty test event: {}), I am getting the following permissions exception:

An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName 
is not authorized to perform: events:ListRules 
on resource: arn:aws:events:eu-west-1:123321123321:rule/*

I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):

{
  "document": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "BasicCloudWatchEventsManager",
        "Effect": "Allow",
        "Action": [
          "events:DescribeRule",
          "events:EnableRule",
          "events:PutRule",
          "events:ListRules",
          "events:DisableRule"
        ],
        "Resource": "arn:aws:events:*:*:rule/[*/]*"
      }
    ]
  },
  "name": "BasicCloudWatchEventsManager",
  "id": "SOME7LONG7ID",
  "type": "managed",
  "arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}

I've build the policy using the visual editor they provide, just changed the sid manually.

Any clues what might be missing?


Solution

  • After a lot of frustration, I figured it out. In the visual policy editor, selecting the resource as any rule, adding and ARN and selecting "any" for all options will create add this line in the policy:

    "Resource": "arn:aws:events:*:*:rule/[*/]*"
    

    What this is meant to stand for is:

    • an events resource
    • in any (*) region
    • on any account
    • in any event bus, if the rule belongs to one (this is the [*/] part)
    • with any name

    However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:

    "Resource": "arn:aws:events:*:*:rule/*"
    

    With this it works without issues.