Workmail Lambda Permissions denied - amazon-web-services

I am trying to understand why I cannot call my lambda from AWS Workmail. I obviously have not setup the correct permissions. I am struggling to understand where I am falling short.
One or more inputs was invalid: Cannot call lambda arn:aws:lambda:us-east-1:006640600424:function:toi-ordering-script due to permission denied. Check that WorkMail is authorized to call your function and that the function exists. Read more.

I think you haven't given permissions to Workmail to invoke your function, or they are given incorrectly.
You can add such permissions using AWS CLI's add-permission. For example:
aws lambda add-permission \
--function-name toi-ordering-script \
--action lambda:InvokeFunction \
--statement-id workmail \
--principal workmail.us-east-1.amazonaws.com
You may need to modify it to your specific settings.

Related

Error thrown by AWS CLI to give permission to IoTAnalytics_Pipeline to invoke my Lambda Function

I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.

How can I increase the policy limits when I stream multiple cloudwatch log group to one lambda?

I have setup a lambda function to be triggered by many cloudwatch log groups. In order to do that, I added the invoke function permission on log group aws lambda add-permission and add subscription as lambda as destination aws logs put-subscription-filter. There are hundreds of log groups I need to stream to one lambda which makes the lambda trigger policy very big.
There two commands in this flow aws lambda add-permission and aws logs put-subscription-filter. I need to run these two commands per each log group. I added 46 cloudwath log groups as trigger for the lambda but when adding the 47th I got an error.
The error I got was this command:
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com \
--source-arn $logArn
An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20623) is bigger than the limit (20480).
arn:aws:logs:ap-southeast-2:***
Is there a way to get around of that?
Is this a right way to stream hundreds of log groups to one lambda?
I have tried to use wildcard in the command but got a validation error.
aws lambda add-permission --function-name $AGGREGATOR_NAME --statement-id $ID --action lambda:InvokeFunction --principal logs.ap-southeast-2.amazonaws.com --source-arn "arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*"
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*' at 'sourceArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1})?:(\d{12})?:(.*)
A way to get around of this is to utilize wildcard in --source-arn. By doing this, you don't need one lambda resource-based policy for each CloudWatch log group. Of course, the simplest way is to allow all log groups to execute lambda:InvokeFunction. In this case, you just need
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com
Notice that the --source-arn is removed.

Lambda#Edge: Cannot enable replication for the specified Lambda function

I'm trying to use CLI, and Ansible to deploy a CloudFront instance with attached Lambda / Lambda#Edge functions. But I'm running into the following error:
Lambda#Edge cannot enable replication for the specified Lambda function. Update the IAM policy to add permission: lambda:EnableReplication* for resource: arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1 and try again.
The documentation does say that I need lambda:EnableReplication*, but when I try to add the permissions to the lambda function via this command:
aws lambda add-permission --function-name FUNCITONNAME:1 --action "lambda:EnableReplication*" --statement-id something --principal "*" --output text
I get the following error:
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'lambda:EnableReplication*' at 'action' failed to satisfy constraint: Member must satisfy regular expression pattern: (lambda:[*]|lambda:[a-zA-Z]+|[*])
How am I suppose to add these permissions do that this can be successful, what am I doing wrong here?
Hi I ran into the same issue, and took me sometime to figured out. I started trying as you did with aws lambda add-permission (role based policy). But the permissions you need to add like lambda:Enablereplication* should not be added to resource base policy but should be added to excecution role (if you're running from a lambda like my case) or to user if you're using CLI (like I think is your case)
Hope this help! :)
The error that comes back from AWS is not quite correct. Here is a working example.
aws lambda add-permission \
--function-name "name-of-your-function" \
--action "lambda:EnableReplication" \
--statement-id "lambda_enable_replication" \
--principal "*" \
--output text
You can also accomplish this with CloudFormation.
EdgeAuthEnableReplicationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:EnableReplication"
FunctionName: !Ref FunctionResource
Principal: "*"
The error message is incorrect. As per the documentation, you need to add the lambda:EnableReplication* permission to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME
rather than to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1
Notice that the replication permission should go on the function itself rather than on a particular version of the function.

Cognito User Pool - Post confirmation trigger, access denied exception

I am crating a Cognito user pool using GO SDK, I am using the API CreateUserPoolInput.
I have a post confirmation trigger, for this lambda function.
So when the user confirmation happens, this lambda function is expected to trigger.
But I am getting an error - Access denied.
When I login to AWS console and re-configure this lambda function for this trigger, it works.
Reference -
https://forums.aws.amazon.com/thread.jspa?messageID=748566
I want to provide the invoke permission using the AWS APIs.
Is there any API or code example, which I can refer to provide the required access?
I am not familiar with GO, but from an AWS API perspective, what happens when you use the AWS console to add a trigger to a lambda function, you effectively add permission for another service to invoke your function. The AWS graphical console calls the underlying API under the scene to make it easy to use.
If you are creating or configuring a Lambda function using the AWS CLI or an SDK, you need to make an explicit call to the add-permission API.
Here is the doc for the AWS CLI. It is a nice way to practice and discover before to start to write your code : https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html
Here is the doc for the Go SDK equivalent : https://docs.aws.amazon.com/sdk-for-go/api/service/lambda/#Lambda.AddPermission
And here are two examples in bash shell (one to authorize API Gateway and one to authorize Amazon S3 to trigger a function, but I am sure you can adapt this easily to your use case)
aws lambda add-permission \
--region $REGION \
--function-name $FUNCTION_NAME \
--statement-id 1 \
--principal apigateway.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:execute-api:$REGION:$ACCOUNT_ID:* >/dev/null
#
# Add permission to authorize S3 bucket to invoke Lambda
#
AWS_ACCOUNT_ID=$(echo $ROLE_EXEC_ARN | sed 's/^arn:aws:iam::\(.*\):.*$/\1/')
aws lambda add-permission --function-name $FUNCTIONNAME --region $REGION --profile $PROFILE --statement-id Id-x --action "lambda:InvokeFunction" --principal s3.amazonaws.com --source-arn arn:aws:s3:::$BUCKETNAME --source-account $AWS_ACCOUNT_ID
I was able to solve this issue using the AddPermission API call.
Here is the code snippet.
actionString := "lambda:InvokeFunction"
principalString := "cognito-idp.amazonaws.com"
sourceArn := userPoolArn
statementIdString := "cognitoaddpermission"
addPermissionInput := &lambda.AddPermissionInput{
Action: aws.String(actionString),
FunctionName: aws.String(lambdaFunctionName),
Principal: aws.String(principalString),
SourceArn: aws.String(sourceArn),
StatementId: aws.String(statementIdString),
}
resultAddPermission, errAddPermission := lambdaSessionClient.AddPermission(addPermissionInput)

How to allow access for AWS API Gateway to invoke all AWS Lambda functions in any path

I'm preparing a new AWS API Gateway under few environments - production, staging, testing, development.
Let's say I have two lambda functions connected to the GET /first and GET /second. Those resources are pointing to the lambda first:${stageVariables.Qualifier} (this variable has proper environment value depending on stage).
Now I have to add permissions for API Gateway to invoke both functions. AWS says:
You defined your Lambda function as a stage variable. Please ensure that you have the appropriate Function Policy on all functions you will use. You can do this by running the below AWS CLI command for each function, replacing the stage variable in the function-name parameter with the necessary function name.
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:first:${stageVariables.Qualifier}
--source-arn arn:aws:execute-api:region:00000:xxxx/*/GET/first
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction
So it's clear - I have to invoke this above command 8 times for each configuration:
first:development
first:testing
....
second:production
Is it possible somehow to add a general permission to allow invocation of any function in any qualifier with any path?
I'm aiming something like that (but it doesn't work):
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:*:*
--source-arn arn:aws:execute-api:region:00000:xxxx/*/*/*
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction