Home > Software design >  AWS Lambda function Access Denied from IoT Rule
AWS Lambda function Access Denied from IoT Rule

Time:10-05

I'm invoking a Lambda function from the SQL statement of a AWS IoT rule but I run into an AccessDenied error:

{
"timestamp": "2022-10-05 10:03:42.260",
"logLevel": "ERROR",
"traceId": "b64de9a6-188c-7876-546c-df8949385145",
"accountId": "124915225239",
"status": "Failure",
"eventType": "RuleExecution",
"clientId": "N/A",
"topicName": "$aws/rules/RuleEnlessWireless600031",
"ruleName": "RuleEnlessWireless600031",
"principalId": "AROAR2FMHCKL3VOAW5AAJ:stsSailboatSession",
"reason": "ExternFunctionException",
"details": "Function 'AwsLambda' failed to execute for rule 'RuleEnlessWireless600031'. Received an error while making a request to Lambda: User: arn:aws:sts::054971253646:assumed-role/iotgoldeneyeruntimeservice-eu-west-1-InstanceRole-EA40NRS1H5SB/i-0b571b6946c9e267e is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-1:124915225239:function:EnlessDecode because no resource-based policy allows the lambda:InvokeFunction action (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 8acab5cf-0466-4dcb-9979-93139c3a34b5; Proxy: null)"

}

I understand that the Rule does not have the permission to invoke the function, but I gave full access.

Destination's role is 'AWSIotWirelessDestination-EnlessWireless': enter image description here

And this role has 'AWSLambda_FullAccess': enter image description here

What is very intriguing is that I have another function that is properly invoked. Two visible differences are (1) fonction2 is 'attached' to an application and (2) function2 is a Python (function1 is Node.js).

I've read this post: AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

Doesn't help.

CodePudding user response:

Your error says that there is no resource based policy attached to Lambda that allows access for "arn:aws:sts::054971253646:assumed-role/iotgoldeneyeruntimeservice-eu-west-1-InstanceRole-EA40NRS1H5SB/i-0b571b6946c9e267e" user/role. So there are 2 problems:

  1. AWS expects a policy attached to Lambda (resource based policy).
  2. Adding policies to AWSIotWirelessDestination-EnlessWireless role won't help since the problem is not with this role but with a role that AWSIotWirelessDestination-EnlessWireless role assumes.
  • Related