I have multiple users and lambda functions in my AWS account, as an example user1, user2, user3, user4 and have the same name for lambda function as well.
I have created the following policy to invoke the Lambda function, but I am getting a following error:
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:111111111111:function:${aws.username}"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111111111111:role/lambda_role",
"arn:aws:lambda:us-west-2:111111111111:function:*"
]
}
]
}
I can create the function without any issue but when I try to invoke the Lambda function, I am getting an error message. However, the policy is attached to the user account.
An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam:: 111111111111:user/user1 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2: 111111111111:function:user1 because no identity-based policy allows the lambda:InvokeFunction action
Related
I am using the Parameter Store from AWS to store String parameter values.
I am using the following code while fetching the Params from the Lambda function:
const ssm = require('aws-sdk/clients/ssm');
const getConfig = (prefix) => {
return ssm.getParameter({ Name: `/${prefix}/config`}).promise()
.then(resp => JSON.parse(resp.Parameter.Value))
.catch(err => console.error(err));
};
But I am constantly getting the following error while running the Lambda from the AWS Console:
ERROR AccessDeniedException: User: arn:aws:sts::XXX:assumed-role/lambdaExecutionRole is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXX:parameter/get/getValue
I tried to add the Administrator access to the role: lambdaExecutionRole, but now getting this error:
ERROR SyntaxError: Unexpected token h in JSON at position 0
at JSON.parse (<anonymous>)
at /var/task/myFile.js:2:955529
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Runtime.e.handler (/var/task/myFile.js:2:1065241)
I have even tried to add the ssm permissions following this doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "GetParam1",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
- An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
- An error occurred: Has prohibited field Resource
Any Idea what I might be missing here? Thanks in advance.
ERROR SyntaxError: Unexpected token h in JSON at position 0
when you add Administrator permissions tells information you are getting from the parameter store and passing eventually to JSON.parse with resp.Parameter.Value is not proper.
Your policy as well is wrong, you are mixing IAM Policy with Trust Policy. They should be separately defined.
Roles terms and concepts
Trust Policy for your lambda IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
IAM Policy for Lambda IAM Role* to allow access to SSM Parameter Store**
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetParam1",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
That's the reason for these errors
An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
An error occurred: Has prohibited field Resource
I am trying to setup eksctl for eks but it throwing
"Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".
The IAM Permission Policy I am using is
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:::parameter/*"
}
]
I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":[
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":[
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:ca-central-1::parameter/*"
}
]
If you notice I've added the region ca-central-1 and you should change it to your current region.
For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.
I think you might need to authorize the "ssm:GetParameter" action as well.
I had the same error message as #plantbeard
but mine was related to capitalisation
I was using Serverless and taking the param name from the stage enviroment eg dev
but my parameter was called /Dev/param
renaming to /dev/param fixed it for me
For anyone else who still has issues, I was receiving the same error for my Lambda function:
"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",
I found that on the policies page
https://us-east-1.console.aws.amazon.com/iamv2/home#/policies
I needed to add the rule to a "Customer managed" Type Policy Named
AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)
That looked like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
}
]
}
This question is related to this:
Setup:
Account A (containing the SQS Queue)
Account B (contains the lambda function that will be triggered by SQS Queue in Account A)
This is the lambda resource policy in Account B
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
},
"Action": "lambda:*",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": ACCOUNT A
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
}
}
}
]
}
and this is the SQS permission policy in Account A
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "Permission to LambdaRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
}
]
}
When user in Account A tries to add lambda trigger from SQS, the following AccessDenied Error shows up:
Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
I also tried to add the trigger from the lambda function (just for testing as this is not something I want), but I got the following error:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
My Lambda Role has "AmazonSQSFullAccess" permission. So I really don't know what's going on here.
Can someone help with this please?
UPDATE
I found a bug in the SQS permission policy and fixing this solved the second error:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
However as mentioned earlier I would need that the user in Account A add a lambda trigger from SQS Queue (which is creating the first error I posted above) rather than the other way round. Is that possible at all?
Your IAM policy is probably limited to the lambda function type resource but it also needs the event-source-mapping resource.
"Resource": [
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:function:*",
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:event-source-mapping:*"
]
Or just say screw IAM and go with '*'.
The list of resources can be found here: Resources and conditions for Lambda actions
I'm issuing an STS token for a user interface that includes the following statement for lambda permissions:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
When I try to invoke the function from the aws-sdk.js in the browser, I get back an error with the message:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
Am I missing something in that policy?
I found the issue, your policy is missing the account number. so it should be,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
Note: Also You should assign this policy to the role you are assuming, not to the user who is assuming. can you confirm that part.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
I have an AWS Lambda function which queries an Amazon Athena database. But I get a permission error when executing the Lambda function:
An error occurred (AccessDeniedException) when calling the GetQueryExecution operation: User: arn:aws:sts::773592622512:assumed-role/lambda_access-role/reddit_monitor is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:ap-southeast-2:773592622512:workgroup/primary: ClientError
I have created this policy for the Lambda function:
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.athena-bucket}",
"arn:aws:s3:::${var.athena-bucket}/*"
]
}
]
}
I wonder why it still doesn't have permission to query Athena? Have I missed anything here?
You granted athena:StartQueryExecution instead of athena:GetQueryExecution.