2

I have a Kinesis Firehose instance, which is set up to call a lambda function to transform incoming records. This works fine when I allow the firehose's IAM role full access to lambda, using the AWS-managed AWSLambdaFullAccess policy.

However, it stops working when I restrict the role to a custom policy, only allowing lambda:InvokeFunction on the specific function. It produced an error message of "Access was denied. Ensure that the access policy allows access to the Lambda function."

Reading the documentation doesn't shed any light on what permissions are required, and the Access Advisor doesn't seem to give granular enough information to allow me to work out what is required.

Can anyone advise?

paulmdavies
  • 1,248
  • 3
  • 12
  • 28
  • Check out this answer - it solved it for me. The problem was the missing ":*" on the end of the resource name - it needs access to all versions of the function. https://stackoverflow.com/a/49524607/923410 – Rob Potter Sep 07 '20 at 22:55
  • Stumbling upon this very same problem, the resource name includes the `:*` at the end. @paulmdavies how did you solve it? – Stefano Messina Aug 05 '21 at 13:14

0 Answers0