Solve AccessDeniedException (Not Authorized) Error - AWS CLI

Solve the AccessDeniedException Error in AWS CLI #

The reason the AccessDeniedException error occurs in AWS CLI is because we're trying to execute a command, without having the necessary IAM permissions.

In this example I try to invoke a lambda function with a profile that doesn't have the necessary permissions and get the AccessDeniedException error:

In this case, the user is not authorized to perform the lambda:InvokeFunction action on the lambda function with the specified arn.

In order to solve the AccessDeniedException error in AWS CLI, we have to attach a policy to the IAM entity, which permits it to execute the necessary actions on the specified resources.

Using the information from the error message, the IAM Policy will look like:

Copied!
{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "lambda:InvokeFunction"
        ],
        "Resource": [
          "arn:aws:lambda:eu-central-1::function:testFunction"
        ]
      }
    ]
}

I've omitted my account number from the function arn for security purposes.

If you want to be more broad with the permissions, you could use the * symbol, for instance:

• an Action of lambda:* grants permission to execute all lambda actions
• an Action of lambda:Invoke* grants permissions to execute lambda actions that start with Invoke
• a Resource of arn:aws:lambda:*:12345678:function:* applies the Action to all lambda functions, in all regions in the account.

Once we have the IAM policy with the necessary permissions, we can attach it to the IAM entity, in this case a user:

Copied!
aws iam put-user-policy --user-name tester --policy-name InvokeLambda --policy-document file://policy.json

Now that the IAM policy is attached to the user, let's try to invoke the lambda function again:

With the policy attached, the AWS CLI request is successful and no longer throws the AccessDeniedException error.

To view the policies attached to a user, we can run the list-user-policies command:

Copied!
aws iam list-user-policies --user-name your_username

Further Reading #

• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How does AWS CDK work
• What is a Token in AWS CDK
• CDK Constructs - Complete Guide
• What is an identifier (id) in AWS CDK
• How to use Context in AWS CDK
• How to use Parameters in AWS CDK