I have a lambda function created using the serverless framework that is running into an error when deploying it to a dev environment. Issue seems to be IAM related and isn't a perissions issue so much as AWS says it's a malformed policy. I've included the error message seen in the cloudformation console as well as the entire serverless.yml file. Was hoping some could help me fix it, I had it working on another account though have made changes like memory limit and specifying the resource for iam policy. Should add to that, I have confirmed the sqs queue referenced in the iam part does in fact exist and I've tried the exact arn without the opt:accID part.
Error message
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
Serverless.yaml file
provider:
name: aws
runtime: nodejs10.x
region: us-east-1
vpc:
securityGroupIds:
- ${ssm:/${opt:stage}/securityGroupIds}
subnetIds:
- ${ssm:/${opt:stage}/subnetIds}
iamRoleStatements:
- Effect: 'Allow'
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
Action:
- 'sqs:*'
environment:
tsQueue: https://sqs.us-east-1.amazonaws.com/${opt:accID}/influxdb_perf_mon
functions:
perf:
handler: handler.perf
memorySize: 128 # in MB
events:
- sqs:
arn: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
batchSize: 1
Cloudformation in S3
"IamRoleLambdaExecution": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
"lambda"
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*"
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*:*"
}
]
},
{
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-1:100525853236:influxdb_perf_mon",
"Action": [
"sqs:*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
]
}
}
],
"Path": "/",
"RoleName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
{
"Ref": "AWS::Region"
},
"lambdaRole"
]
]
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
}
]
}
},
The line that defines the resource for the IAM premissions you have listed has a small typo and is missing the $:
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
should be
Resource: arn:aws:sqs:us-east-1:${opt:accID}:influxdb_perf_mon
That may fix your issue
I redeployed your role in my sandabox account. I found that the issue comes from:
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
Specifically, from {opt:accID}. Changing the Resource to (real account number) fixed the issue in my verification:
"arn:aws:sqs:us-east-1:324124214:influxdb_perf_mon"
Thus the question is, where does this policy come from? Its not listed in your Serverless.yaml provided in the question? Are you sure this is the most recent Serverless.yaml you use?
Related
I am creating a cloudformation stack to generate aws instance scheduler in aws gov cloud via TF. The goal is to start/stop ec2 based on tags. Many way to achieve it but I have to use terraform and cloudformation. Here is the repo --> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
Below is the part of the code where I think I am blocked:
"InstanceSchedulerEncryptionKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "Key for SNS",
"Enabled": true,
"EnableKeyRotation": true,
"KeyPolicy": {
"Statement": [
{
"Sid": "default",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allows use of key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"SchedulerRole",
"Arn"
]
}
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
},
"Code": {
"S3Bucket": {
"Fn::Join": [
"-",
[
"solutions",
{
"Ref": "AWS::Region"
}
]
]
},
"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
The error :
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [InstanceSchedulerEncryptionKey, SchedulerRule]. Rollback requested by user."
"Resource creation cancelled" "Parameter arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain is not valid. Reason: Provided Arn is not in correct format. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: 37adac0c-6758-4b4f-ac86-0d0140742c80; Proxy: null)"]
Not sure if it's doable in gov cloud but I am looking for potential solutions and found this https://github.com/awslabs/aws-instance-scheduler/issues/11. I am testing it but no success yet.. please help !!
Adding a new line:
Thank you all for the response. My issue was using the correct arn arn:aws-us-gov
I just apply the code and it's going through. Now I am getting this below and I am sure it's related to the policy/role on my s3. Please let me know what is wrong in my code below. Any thoughts?
the s3 code part:
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},
"Properties": {
"PolicyName": "SchedulerPolicy",
"Roles": [
{
"Ref": "SchedulerRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy"
],
"Resource": [
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group",
{
"Ref": "SchedulerLogGroup"
},
"*"
]
]
},
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:*"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:s3:::instanceschedulertest",
"arn:aws-us-gov:s3:::instanceschedulertest/*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:DeleteDBSnapshot",
"rds:DescribeDBSnapshots",
"rds:StopDBInstance"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:rds:*",
{
"Ref": "AWS::AccountId"
},
"snapshot:*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:DescribeDBSnapshots",
"rds:StartDBInstance",
"rds:StopDBInstance"
The error:
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]
Thank you all for all the pointers I really appreciate your input.
The reason why it is failing is because you are forming the wrong ARN in your Terraform Code.
In your repo,
link
Replace these following lines with respect to Lambda: 1047, 1358, 1420 as "arn:aws-us-gov:lambda" instead of "arn:aws:lambda".
As per the documentation of aws: The ARN should be in this format arn:aws-us-gov:lambda:account-id:function:function-name.
The answer to your question is to update the above-mentioned line. But I am sure you will get errors with respect to other resources as all resources which you are creating are in the Us-Region. So please update all the necessary Joining Function Arn lines which your forming in your code. :)
I want to limit access to my elasticsearch clusters on aws by defining Access Policies that would limit access to iam users, a specific lambda function and the appsync api.
I have defined the following access policies in the elasticsearch resource on cloudformation, but this is failing with an error: Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
How do I fix my policy so that it works?
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{"Ref": "AWS::Region"},
":",
{"Ref": "AWS::AccountId"},
":function:",
{"Ref": "DdEsLambdaFunctionName"},
"-",
{"Ref": "env"}
]
]
},
{
"Fn::Join": [
"",
[
{"Ref": "GraphQLAPI"},
"/*"
]
]
}
]
},
"Action": [
"es:ESHttp*"
]
},
{
"Effect": "Allow",
"Principal": [
{
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref": "AWS::AccountId"},
":user/*"
]
]
}
}
],
"Action": "*"
}
]
},...}
Not sure if this is the core issue, but your first Principal is incorrect.
You specified Service but you provide lambda ARN. The ARN is of type AWS principal, not Service. Possibly GraphQLAPI is also an ARN, which again is not a Service principal, but AWS Principal.
The AWS Lambda function pipeline I did just set up following the official AWS documentation (Building a Continuous Delivery Pipeline for a Lambda Application with AWS CodePipeline) fails for me on deploy stage (both source and build stages do succeed) with this message:
Action execution failed
Role arn:aws:iam::************:role/service-role/AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline
is invalid or cannot be assumed
(Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; Request ID: ********-****-****-************)
I did try to edit the deploy stage and change the specified service role (WSCodePipelineServiceRole-eu-west-1-lambda-pipeline), an run again the pipeline, with no success... More, editing again the deploy stage after re-running the pipeline, I see the previous role is there again... ( solved myself: I was not saving changes... :-( )
This is my template.yml:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Outputs the time
Resources:
TimeFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs10.x
CodeUri: ./
Events:
MyTimeApi:
Type: Api
Properties:
Path: /TimeResource
Method: GET
This is my buildspec.yml:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 10
build:
commands:
- npm install
- export BUCKET=lambda-pipeline-repo-bucket
- aws cloudformation package --template-file template.yml --s3-bucket $BUCKET --output-template-file outputtemplate.yml
artifacts:
type: zip
files:
- template.yml
- outputtemplate.yml
This is the WSCodePipelineServiceRole-eu-west-1-lambda-pipeline role policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"opsworks:DescribeStacks",
"rds:*",
"devicefarm:GetRun",
"cloudformation:CreateChangeSet",
"autoscaling:*",
"codebuild:BatchGetBuilds",
"servicecatalog:ListProvisioningArtifacts",
"devicefarm:ScheduleRun",
"devicefarm:ListDevicePools",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProvisioningArtifact",
"cloudformation:DescribeChangeSet",
"devicefarm:ListProjects",
"cloudformation:ExecuteChangeSet",
"sns:*",
"codedeploy:RegisterApplicationRevision",
"cloudformation:*",
"opsworks:DescribeDeployments",
"devicefarm:CreateUpload",
"cloudformation:DescribeStacks",
"codecommit:GetUploadArchiveStatus",
"cloudwatch:*",
"opsworks:DescribeInstances",
"cloudformation:DeleteStack",
"ecr:DescribeImages",
"ecs:*",
"ec2:*",
"codebuild:StartBuild",
"opsworks:DescribeApps",
"opsworks:UpdateStack",
"cloudformation:ValidateTemplate",
"codedeploy:CreateDeployment",
"codedeploy:GetApplicationRevision",
"codedeploy:GetDeploymentConfig",
"servicecatalog:CreateProvisioningArtifact",
"sqs:*",
"cloudformation:DeleteChangeSet",
"codecommit:GetCommit",
"servicecatalog:DeleteProvisioningArtifact",
"codedeploy:GetApplication",
"cloudformation:SetStackPolicy",
"codecommit:UploadArchive",
"s3:*",
"elasticloadbalancing:*",
"codecommit:CancelUploadArchive",
"devicefarm:GetUpload",
"elasticbeanstalk:*",
"opsworks:UpdateApp",
"opsworks:CreateDeployment",
"cloudformation:CreateStack",
"servicecatalog:UpdateProduct",
"codecommit:GetBranch",
"lambda:*",
"codedeploy:GetDeployment",
"opsworks:DescribeCommands"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "codestar-connections:UseConnection",
"Resource": "*"
}
]
}
Please feel free to ask for any additional information...
Please give me some direction, I'm out of my depth here...
UPDATE 1
After #omuthu answer, I did check my pipeline policy (AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline):
{
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"elasticbeanstalk.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
...
],
"Version": "2012-10-17"
}
and I see I already have iam:PassRole...
It is conditioned to services "cloudformation.amazonaws.com", "elasticbeanstalk.amazonaws.com", "ec2.amazonaws.com", "ecs-tasks.amazonaws.com"... Should I add some other services? Or better remove the condition?
UPDATE 2
I did try to remove the condition, with no different result.
UPDATE 3
#shariqmaws: I did export my pipeline (named "lambda-pipeline"); here it is:
{
"pipeline": {
"version": 1,
"artifactStore": {
"location": "codepipeline-eu-west-1-##########",
"type": "S3"
},
"roleArn": "arn:aws:iam::##########:role/service-role/AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline",
"name": "lambda-pipeline",
"stages": [
{
"name": "Source",
"actions": [
{
"inputArtifacts": [],
"region": "eu-west-1",
"name": "Source",
"configuration": {
"PollForSourceChanges": "true",
"BranchName": "master",
"RepositoryName": "lambda-pipeline-repo"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"runOrder": 1,
"actionTypeId": {
"provider": "CodeCommit",
"owner": "AWS",
"version": "1",
"category": "Source"
}
}
]
},
{
"name": "Build",
"actions": [
{
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "eu-west-1",
"name": "Build",
"configuration": {
"ProjectName": "lambda-pipeline-build"
},
"outputArtifacts": [
{
"name": "BuildArtifact"
}
],
"runOrder": 1,
"actionTypeId": {
"provider": "CodeBuild",
"owner": "AWS",
"version": "1",
"category": "Build"
}
}
]
},
{
"name": "Deploy",
"actions": [
{
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "eu-west-1",
"name": "Deploy",
"configuration": {
"TemplatePath": "BuildArtifact::outputtemplate.yml",
"ActionMode": "CHANGE_SET_REPLACE",
"ChangeSetName": "lambda-pipeline-changeset",
"Capabilities": "CAPABILITY_IAM",
"RoleArn": "arn:aws:iam::##########:role/service-role/AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline",
"StackName": "lambda-pipeline-stack"
},
"outputArtifacts": [],
"runOrder": 1,
"actionTypeId": {
"provider": "CloudFormation",
"owner": "AWS",
"version": "1",
"category": "Deploy"
}
}
]
}
]
},
"metadata": {
"updated": 1584382274.615,
"created": 1584382274.615,
"pipelineArn": "arn:aws:codepipeline:eu-west-1:##########:lambda-pipeline"
}
}
Can you find any issue with this pipeline? (and thanks for your help!)
UPDATE 4
#Shawn: I did read the document you pointed me to, and checked my configuration... I am in region eu-west-1, and it is enabled, as I see in my account settings:
Thanks for any comment...
Add iam:PassRole to your codepipeline policy as it tries to pass the role (attach the role) to lambda
Read more about it here
The problem is with the CloudFormation 'Deploy' action configuration:
"configuration": {
"TemplatePath": "BuildArtifact::outputtemplate.yml",
"ActionMode": "CHANGE_SET_REPLACE",
"ChangeSetName": "lambda-pipeline-changeset",
"Capabilities": "CAPABILITY_IAM",
"RoleArn": "arn:aws:iam::##########:role/service-role/AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline",
"StackName": "lambda-pipeline-stack"
},
The 'RoleArn' above is a role in target account that CloudFormation will assume to execute the stack. Think of this role as the identity that will actually be creating the resources you have defined in the CloudFormation template. Now since CloudFormation service need to assume this role, the trust policy of this role should be for Cloudformation and NOT CodePipeline as it currently is.
Correct Trust Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Fix:
Create a new role for the CloudFormation service
Provide the permissions to this role that are required to create the resources defined in the template
Update the pipeline Action 'Deploy' in Stage 'Deploy' and set the RoleARN in configuration properties of this Action to the new role's ARN instead of "arn:aws:iam::##########:role/service-role/AWSCodePipelineServiceRole-eu-west-1-lambda-pipeline".
I am having issue with creating IAM policy in cloudformation.But when I run it I get the error that Groups,Roles,Users is required:
Here is my code:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template IAM Groups and Policies",
"Resources": {
"PolicyAutoScalingLimitedOperation": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AutoScaling-Limited-Operation",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:ListKeys",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
}
}
}
Now when I run it I get:
At least one of [Groups,Roles,Users] must be non-empty.
Does that mean I cannot create policy with cloudformation without adding user/role to it?
You probably want to create an AWS::IAM::ManagedPolicy if you just want a standalone policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html
From the documentation:
AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management
(IAM) managed policy for your AWS account, which you can use to apply
permissions to IAM users, groups, and roles.
Here's an example:
Resources:
CreateTestDBPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Policy for creating a test database"
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "rds:CreateDBInstance"
Resource: "*"
This will resolve your issue.
When I have my IAM Policy for my lambda execution role set to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
I get this error:
[AccessDeniedException: User:
arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail
is not authorized to perform:
lambda:GetFunction on resource:
arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]
However, when I set the policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
The error is gone... What else do I need to add?
Figured it out. Apparently the SDK uses "lambda:GetFunctionConfiguration" as well. Once I included that it all worked.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
For anyone getting this error after the alexa.design/cli tutorial,
ASK_CLI_USER is not authorized to perform: lambda:GetFunction on resource
The issue for me was not "lambda:GetFunctionConfiguration" but instead the Resource line below it due to the "ask-" prefix:
"Resource": "arn:aws:lambda:*:*:function:ask-*"
Changing it to this solved my issue:
"Resource": "arn:aws:lambda:*:*:function:*"
Post 2022
The solution is as CamHart said, but there is a twist.
They apparently renamed these permissions. You must now use
lambda:InvokeFunction and lambda:InvokeFunctionConfiguration instead of lambda:GetFunction and lambda:GetFunctionConfiguration
Exemple
JSON
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"*"
]
}
]
YAML
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
- lambda:InvokeFunctionConfiguration
Resource: '*'