0

I'm issuing an STS token for a user interface that includes the following statement for lambda permissions:

   {
     "Sid" : "AllowUserInvokeLambda",
     "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
     ],
     "Effect": "Allow",
     "Resource": [
         "arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
         "arn:aws:lambda:us-east-2:*:function:ImageScanner"
     ]
   },

When I try to invoke the function from the aws-sdk.js in the browser, I get back an error with the message:

"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"

Am I missing something in that policy?

Scott
  • 7,983
  • 2
  • 26
  • 41
  • https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/ – Tuan Vo Dec 11 '19 at 00:01
  • I don't need my lambda function to assume the other role. I need the other role to invoke the lambda function – Scott Dec 11 '19 at 16:10
  • (among other things, that link includes code that runs inside the lambda function and the permissions just allow the code to work - the error I'm getting means it's not even getting to running the lambda function) – Scott Dec 11 '19 at 16:41

1 Answers1

1

I found the issue, your policy is missing the account number. so it should be, 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUserInvokeLambda",
      "Action": [
        "lambda:InvokeAsync",
        "lambda:InvokeFunction"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:lambda:ap-southeast-2:012345678901:function:*"
      ]
    }
  ]
}

Note: Also You should assign this policy to the role you are assuming, not to the user who is assuming. can you confirm that part.

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39
  • was it the issue? – Arun Kamalanathan Dec 11 '19 at 00:56
  • for testing purposes I have the role set as LambdaFullAccess – Scott Dec 11 '19 at 15:25
  • The policy I included in the post is from the request to get the temporary credentials. There are also permissions to modify specific S3 bucket which are working fine. I also tried it first with globbing the function name also with the same result. I haven't tested it recently but I'm pretty sure the CreateThumbnail was working fine in an earlier test. – Scott Dec 11 '19 at 16:43
  • by the way `LambdaFullAccess` don't have `InvokeFunction` – Arun Kamalanathan Dec 11 '19 at 23:23
  • LambdaFullAccess has lambda:* (which means it has InvokeFunction) – Scott Dec 12 '19 at 16:21
  • re: missing account number. Similar to the lambda:* do you not understand how globbing works? Putting a '*' in the account number field means any account. I won't approve the answer because it doesn't help. – Scott Dec 12 '19 at 16:24
  • besides, I needed a solution and since working answers weren't forthcoming (I also tried an extra :* in the original test before posting - same result) I just reverted to using a rest call to the GatewayAPI – Scott Dec 12 '19 at 16:26
  • you are right, `LambdaFullAccess` has `lambda.*`, sorry about that – Arun Kamalanathan Dec 12 '19 at 20:36