Sorry for this lengthy post! I have tried my best to keep it as short as possible but wanted to put all information I have to explain the situation clearly.
My issue is related to AWS Lambda function deployment using JOVO CLI.
Every time I am trying to deploy the skill function from my local to Lambda, I am getting the following error block. I don't know how to resolve it.
$ jovo deploy -t lambda --ask-profile officialProfile
AccessDeniedException: User: arn:aws:iam::xxxxxxxxx:root is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-east-1:109918021270:function:sampleProjectNotes
But I can get both $ jovo get alexaSkill --skill-id <Skill ID> --ask-profile officialProfile and $jovo deploy --ask-profile officialProfile (without any additional parameter) command to run without any issue.
For deploying the code from local, I created an ASK profile by logging in as IAM user. Here are the steps I followed:
- ask init -p officialProfile
- Logged in with IAM user credential (Email and password) created by my employer
- Got the success message saying that the profile has been created
After doing some research, I created a policy under aws console and added the following JSON to it.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:PassRole",
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:ListFunctions",
"logs:FilterLogEvents",
"logs:getLogEvents",
"logs:describeLogStreams"
],
"Resource": "*"
}
}
Then added the following Permissions to my IAM user:
- AWSLambdaFullAccess
- AWSCodeDeployRoleForLamda
- and the above Policy I created earlier
But nothing is working. I am still getting the same error while deploying the code to Lambda.
My senior said that maybe the problem is that I am trying to access AWS as the root user and I need to use my user's ARN. I am unable to understand how to use or configure it.
I received an email invite which I am using to log in to Alexa console for building the skill.
And when I created the ASK profile, I logged in using the same email address and password. Is this a root account?
Meanwhile, I have found this article. AWS Access Key ID and AWS Secret Access Key are with me as well. But would like to be sure about what I am doing because there is already an ASK profile I created and if that would cause any further issue.
I was building skills from my personal AWS root account till now. This is the first time I am using an IAM user account.
UPDATE:
According to @Paradigm's instruction, when I tried ask deploy, the following error appeared:
Get Lambda ARN arn:aws:lambda:us-east-1:xxxxxxxx:function:sampleProjectNotes failure for custom/NA.
AccessDeniedException: User: arn:aws:iam::xxxxxxxx:root is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:us-east-1:xxxxxxxx:function:sampleProjectNotes
