6

PRE-NOTE: I perform all of my AWS provisioning via a IAM-user console account that essentially has all of the privileges of the AWS/Amazon account owner. I'll call this IAM-user the root account.

Issue description:

  • From the root account I created the following IAM-user, with programmatic only access: lambda-test
  • I added it's IAM access keys (as a profile entry) in my ~/.aws/* files.
  • Now to that lambda-test account, I next created an Inline/Embedded policy that allows the following AWS-Lamdba operations: ListFunctions, GetFunction, UpdateFunctionCode, UpdateFunctionConfiguration

The policy statement -- which validated correctly -- looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1111111111111",  # <--- Altered for this post.
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:ListFunctions",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": [
                "arn:aws:lambda:*"
            ]
        }
    ]
}

Back at the laptop CLI, I issue the following command, which generates an AccessDeniedException:

user@linux$ aws lambda list-functions --profile lambda-test

Here is the exception:

An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: arn:aws:iam::<AWS-Account-ID>:user/lambda-test is not authorized to perform: lambda:ListFunctions

Did I miss something? (Of course I did. =:)) Thanks in advance!

NYCeyes
  • 5,215
  • 6
  • 57
  • 64

2 Answers2

6

There are two types of access policies you can use with AWS lambda:

1) Identity-Based Policies (IAM Policies) The one you are working with is, IAM policy. If you read this AWS lambda access control overview documentation, when you are working with IAM based access, right now AWS only supports * as resource. Because "lambda:ListFunctions" can't be called with full ARN (refer this documentation for which can be called with FULL arn and which can be called with *), you need to give *.

In the current implementation, Lambda doesn't support identifying specific resources using the resource ARNs (also referred to as resource-level permissions) for some of the API actions, so you must specify a wildcard character (*).

2) Resource-Based Policies (Lambda Function Policies)

Each Lambda function can have resource-based permissions policies associated with it. For Lambda, a Lambda function is the primary resource and these policies are referred to as Lambda function policies. You can use a Lambda function policy to grant cross-account permissions as an alternative to using identity-based policies with IAM roles. For example, you can grant Amazon S3 permissions to invoke your Lambda function by simply adding permissions to the Lambda function policy instead of creating an IAM role.

And more examples are here

kosa
  • 65,990
  • 13
  • 130
  • 167
  • Nambari thank you for the excellent walk through. Applying the single asterisk '*' worked. I have to study my use-case to see if I can leverage a Resource-Based policy instead (since it appears more secure). Thank you again. :) – NYCeyes May 15 '17 at 19:29
  • Btw, the docs are a little head-scratching because this reference document appears to suggest that full ARNs are supported for lambda:ListFunctions - http://amzn.to/2pDsu8l ; Out of curiosity I tried the full-ARN pattern shown, it and it doesn't work. :) – NYCeyes May 15 '17 at 20:00
  • 1
    @prismalytics.io I should correct myself, If you carefully look at link you provided, 'ListFunctions' accepts only *, but other function like 'GetFunction' can be called with full ARN. In this case, you were trying to call list function without *, which is why you were getting error. For simple test, if you just keep "GetFunction' in list of actions, then you don't need to give *, you can just give full ARN. Hope now it is clear. – kosa May 15 '17 at 20:36
0

Not the OP's issue, but for others coming across this from Google:
Make sure you have Console sign-in enabled for the IAM user you are using. This can be set under IAM -> Users -> (select user) -> Security credentials

Leo Glowacki
  • 71
  • 7