Lambda.InvokeAccessDenied from Kinesis Firehose

Question

I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:

{
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:GetFunctionConfiguration"
        ],
        "Resource": [<Arn>, ...],
        "Effect": "Allow"
    }
}

I've also granted sts:AssumeRole access to the Lambda role from Firehose.

This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with

{
  "errorCode":"Lambda.InvokeAccessDenied",
  "errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."
}

and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?

score 17 · Answer 1 · edited Mar 28 '18 at 01:20

17

This statement works for me. Note the :* at the end of the resource.

{
    "Sid": "",
    "Effect": "Allow",
    "Action": [
        "lambda:InvokeFunction",
        "lambda:GetFunctionConfiguration"
    ],
    "Resource": "arn:aws:lambda:us-west-2:11111111111:function:transform-lambda:*"
}

edited Mar 28 '18 at 01:20

answered Mar 28 '18 at 01:14

whileloop

194
2

I added another answer but commenting here as well -- in my case I had to point my delivery stream to a particular version of the Lambda function instead of just `$LATEST` in order for it to start working. I'm not sure if both of these things are needed to get it working, but the permissions change listed above are fine to make anyways. – Mike Maxwell Aug 15 '23 at 00:35

score 3 · Accepted Answer · answered Mar 19 '18 at 21:48

3

Elsewhere in the ProcessingConfiguration for my Firehose, I had supplied a role to execute the lambda which did not have adequate permissions. By removing

- ParameterName: RoleArn
  ParameterValue:
    Fn::GetAtt: [<Role>, Arn]

from the ProcessingConfiguration config set, the lambda was able to execute successfully using the appropriate role/policy.

answered Mar 19 '18 at 21:48

Nathan Brown

311
1
3
12

An `iam:passRole` block can be added to the Kinesis role instead of removing the ProcessingConfiguration RoleArn config. – naaman Jun 20 '21 at 22:04

score 0 · Answer 3 · answered Mar 11 '18 at 02:15

While a new stream is created, kinesis stream creates a default IAM policy for triggering lambda?

I was able to test sending data from Kinesis stream to lambda.

The policy I had is as below,

{ "Sid": "", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:GetFunctionConfiguration" ], "Resource": "lambda-arn" }, { "Sid": "", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ "*" ] }, { "Sid": "", "Effect": "Allow", "Action": [ "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:GetRecords" ], "Resource": "kinesis-arn" },

score 0 · Answer 4 · answered Aug 15 '23 at 00:34

I have a feeling whileloop's answer is correct, though in my case I made the listed change to my delivery stream's IAM policy and it didn't fix the access denied issue. However, on a whim I created a version of my Lambda function and configured the Firehose delivery stream to point to that particular version (i.e. 1) rather than $LATEST and THAT resolved the error for me. So I'm not sure if one or both of these are needed, but I wanted to provide my experience in case it helps others get past the issue.

Lambda.InvokeAccessDenied from Kinesis Firehose

4 Answers4

Linked