Sorry for this lengthy post! I have tried my best to keep it as short as possible but wanted to put all information I have to explain the situation clearly.
My issue is related to AWS Lambda function deployment using JOVO CLI.
Every time I am trying to deploy the skill function from my local to Lambda, I am getting the following error block. I don't know how to resolve it.
$ jovo deploy -t lambda --ask-profile officialProfile
AccessDeniedException: User: arn:aws:iam::xxxxxxxxx:root is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-east-1:109918021270:function:sampleProjectNotes
But I can get both $ jovo get alexaSkill --skill-id <Skill ID> --ask-profile officialProfile and $jovo deploy --ask-profile officialProfile (without any additional parameter) command to run without any issue.
For deploying the code from local, I created an ASK profile by logging in as IAM user. Here are the steps I followed:
After doing some research, I created a policy under aws console and added the following JSON to it.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:PassRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:ListFunctions",
"logs:FilterLogEvents",
"logs:getLogEvents",
"logs:describeLogStreams"
],
"Resource": "*"
}
}
Then added the following Permissions to my IAM user:
But nothing is working. I am still getting the same error while deploying the code to Lambda.
My senior said that maybe the problem is that I am trying to access AWS as the root user and I need to use my user's ARN. I am unable to understand how to use or configure it.
I received an email invite which I am using to log in to Alexa console for building the skill.
And when I created the ASK profile, I logged in using the same email address and password. Is this a root account?
Meanwhile, I have found this article. AWS Access Key ID and AWS Secret Access Key are with me as well. But would like to be sure about what I am doing because there is already an ASK profile I created and if that would cause any further issue.
I was building skills from my personal AWS root account till now. This is the first time I am using an IAM user account.
UPDATE:
According to @Paradigm's instruction, when I tried ask deploy, the following error appeared:
Get Lambda ARN arn:aws:lambda:us-east-1:xxxxxxxx:function:sampleProjectNotes failure for custom/NA.
AccessDeniedException: User: arn:aws:iam::xxxxxxxx:root is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:us-east-1:xxxxxxxx:function:sampleProjectNotes
It looks like your ASK CLI is using the AWS credentials for your personal account and not your company account.
You would need to run the "ask configure" command to set up the AWS credentials correctly for your officialProfile.
$ ask configure --profile officialProfile --aws-setup