I am following the aws tutorial on how to create thumbnails using lambda. I run this command to create a function:
aws lambda create-function --function-name CreateThumbnailDev --zip-file fileb://lambda-dev.zip --handler index.handler --runtime nodejs12.x --timeout 10 --memory-size 1024 --role arn:aws:iam::XXXXXXXXXXXXX:role/<MY_ROLE>
MY_ROLE is a role a created for executing lambda. The above command returns this error:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:iam::XXXXXXXXXXXXX:user/MY_USER is not authorized to perform: lambda:CreateFunction .....
the problem is that XXXXXXXXXXXXX is my account id (as the tutorial says to use if) but user/MY_USER is the user I configured my AWS CLI locally, it exists but it doesn't have the necessary policy attached.
How should I configure the client to execute this command?
Here we have two different principals:
Role associated to the lambda function: permissions that the lambda function itself will have
Policies associated to your IAM user: what you can do
Looks like your IAM user named MY_USER, the one you're using for creating the lambda, is missing permissions for that. You'll need to grant them, either attaching a policy directly to the user or adding the user to a group that has the policies
You can check the official documentation for that
Related
I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.
I'm trying to invoke an AWS Lambda from one account on another account, I have the private link created for both and tried configuring a role and adding it to the was lambda polices it works as expected, but I want to limit to the individual user to invoke the function. So is it possible to add multiple users instead of root or role ARN?
The CLI command will add the root as below:
$ aws lambda add-permission --function-name my-function:prod --statement-id xaccount --action lambda:InvokeFunction \
--principal 210987654321 --output text
{"Sid":"xaccount","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::210987654321:root"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-2:123456789012:function:my-function"}
From Using resource-based policies for AWS Lambda:
To limit access to a user, group, or role in another account, specify the full ARN of the identity as the principal. For example: arn:aws:iam::123456789012:user/developer
I have a Lambda .jar that I build from a Jenkins box in an AWS account ("Account_Bld"). Once built, I copy the .jar over to an S3 bucket in a different AWS account ("Account_Dst"), and I attempt to update the Lambda in Account_Dst based on the newly copied .jar in S3.
I'm using this command as part of my deploy script, which is a slight modification of another version that works when everything is located in the same account:
aws lambda update-function-code --function-name arn:aws:lambda:us-east-1:{Account_Dst_Id}:function:{lambda_function_name} --zip-file fileb://{jar_file_relative_path} --region us-east-1
Not surprisingly, I get this error:
An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation: User: arn:aws:sts::{Account_Bld_Id}:assumed-role/{jenkins_ec2_role}/{jenkins_ec2_instance_id} is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-east-1:{Account_Dst_Id}:function:{lambda_function_name}
I have given jenkins_ec2_role rights to update the Lambda in the other account, but it makes sense that I would need to reciprocate those rights somewhere in Account_Dst -- assuming there is a simple solution to this problem.
Now, possible resolutions. I could assume a role in Account_Dst that has the correct rights and update the Lambda, but that's more setup hassle than it is worth to me right now. I've seen some Google suggestions that I could use CodePipeline, but obviously I'm using Jenkins, so that doesn't seem like a good solution, either.
So, the question is, is there an easy solution here that I am missing?
This is now possible. A Lambda resource based policy can be configured to allow a principal from another account to perform actions e.g. lambda:UpdateFunctionCode or lambda:Invoke.
In case of UpdateFunctionCode, the documentation states:
FunctionName
The name of the Lambda function.
Name formats
Function name – my-function.
Function ARN – arn:aws:lambda:us-west-2:123456789012:function:my-function.
Partial ARN – 123456789012:function:my-function.
...
Source: https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionCode.html
The Lambda Function permission in account 222222222222 must be configured to allow the principal from account 111111111111 to update the function code:
aws lambda add-permission --function-name my-function --statement-id xaccount --action lambda:UpdateFunctionCode --principal 111111111111 --output out.txt
Source:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke
Then the function code in account 222222222222 can be updated from account 111111111111:
aws lambda update-function-code --function-name arn:aws:lambda:us-west-2:222222222222:function:my-function --zip-file fileb://soure.zip
Granting permissions in Account_Bld to access Account_Dst is not sufficient to gain access to another account. This is good, because you wouldn't want people granting themselves access to other people's accounts.
The destination account needs to accept the incoming request. The method varies by service. For example, Amazon S3 can create a Bucket Policy to permit access from other accounts, as can Amazon SQS.
However, there is no such concept in Lambda to configure incoming requests from other accounts. There is simply nowhere that can be configured to allow update-function-code from another account.
Therefore, you will need to do as you suggested:
Create an IAM User or IAM Role in Account_Dst
Use the credentials from the Account_Dst IAM User (simplest) or use the existing Account_Bld credentials to assume the Role in Account_Dst (a few more lines of code)
Call update-function-code using those credentials
I want to grant vpc access for my lambda function. I use the following aws cli command.
aws lambda update-function-configuration \
--function-name SampleFunction \
--vpc-config SubnetIds=subnet-xxxx,SecurityGroupIds=sg-xxxx
But I receive the following error:
An error occurred (AccessDeniedException) when calling the
UpdateFunctionConfiguration operation: Your access has been denied by
EC2, please make sure your request credentials have permission to
DescribeSecurityGroups for sg-xxxx. EC2 Error Code:
UnauthorizedOperation. EC2 Error Message: You are not authorized to
perform this operation.
I have granted the following permission to both my lambda role and the user who execute the aws command.
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DeleteNetworkInterface"
- "ec2:DescribeSecurityGroups"
I further tried to grant full access to both the lambda role and the user. But still received the same error
Can anyone suggest what else I can try?
The trick is to add the pipeline / worker role / user which is deploying the lambda function) have access to network related policies. The lambda function should itself suffice with managed policy - AWSLambdaVPCAccessExecutionRole
arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Action:
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
Effect: Allow
Resource: '*'
Your users IAM policy needs further permissions.
For example ec2:CreateSecurityGroup & etc. Have a look at this documentation to add requred permissions.
I experienced the same issue. Despite the IAM policy for the user having the required permissions, I could not use the aws cli to crate a lambda function with a VPC config (aws lambda create-function) or modify an existing function to add a VPC config (aws lambda update-function-configuration).
The only way I could get this to work was to create the lambda function without a VPC config. I then modified the function to add the VPC config information (vpc, subnet and security groups) via the AWS console (in Lambda > Fucntions > My Function > Network). I was only able to use the console to do this, introducing a manual step in an otherwise fully automated process.
To answer some of the questions above about which user needs the ec2:DescribeSecurityGroups and related permissions. It is the user running the cli command or logged in to the console. The function does not need a policy providing these permissions. The only special permissions needed for a function with a VPC config are:
ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface
These allow the function to create ENIs within your VPC using the subnet and security group you provide as described here.
Both the Lambda funtion's role and the user role (either cloudformation or cmline user) must have:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
- ec2:DescribeSecurityGroups
- ec2:DescribeSubnets
or ec2:* if ok for your use case'security
I had the same issue deploying a lambda with a VPC config using SAM/cloudformation and resolved it by adding this above.
on github issue some people say it is because of cloudformation order creation it is not (or maybe not anymore because I tested adding 20 dummy resource and still the same issue only resolved by adding the permissions above)
cheers,
I am creating a nodejs application and deploying it as a lambda function on AWS. I am following the link:
http://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example-create-iam-role.html
I am now stuck at step 2.2-2.3. Step 2.2 has the json with the policy that needs to be attached to the role. When I use the below command (step 2.3) to create the lambda function:
ws lambda create-function --region us-east-1 --function-name LambdaFunctionOverHttps --zip-file fileb://LambdaFunctionOverHttps.zip --role execution-role-arn --handler LambdaFunctionOverHttps.handler --runtime nodejs4.3
Then I get the below error:-
An error occurred (ValidationException) when calling the
CreateFunction operation: 1 validation error detected: Value
'execution-role-arn' at 'role' failed to satisfy constraint: Member
must satisfy regular expression pattern:
arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.#-_/]+
I even created the file "execution-role-arn" which had the json from Step 2.2. How can I resolve this error and create the lambda function?
I faced the same error, turns out you have to specify the Role ARN, not the Role name. So instead of --role roleName , put --role arn:aws:iam::1234567891:role/service-role/roleName . You can find you role ARN by clicking on the role name in Roles tab, and then at the top you'll find the role ARN.
AWS really needs to fix their documentation for almost all of their services.
Update: The role needs to be replaced with the actual arn role name for the lambda function instead of a separate file. This can be found on the role you just created in step 2.2. So, the proper way to do this is as follows:
aws lambda create-function
--region us-east-1
--function-name LambdaFunctionOverHttps
--zip-file fileb://LambdaFunctionOverHttps.zip
--role arn:aws:iam::9999999999999:role/lambda-gateway-execution-role
--handler LambdaFunctionOverHttps.handler
--runtime nodejs4.3
This worked out fine and the lambda function got created. Note that I had pointed the default profile to admin with the aws config command.