Solve AccessDeniedException (Not Authorized) Error - AWS CLI

avatar

Borislav Hadzhiev

Fri Sep 17 20212 min read

banner

Photo by Artem Sapegin

Solve the AccessDeniedException Error in AWS CLI #

The reason the AccessDeniedException error occurs in AWS CLI is because we're trying to execute a command, without having the necessary IAM permissions.

In this example I try to invoke a lambda function with a profile that doesn't have the necessary permissions and get the AccessDeniedException error:

access denied exception error

The error message contains information regarding what permissions the IAM entity is lacking.

In this case, the user is not authorized to perform the lambda:InvokeFunction action on the lambda function with the specified arn.

In order to solve the AccessDeniedException error in AWS CLI, we have to attach a policy to the IAM entity, which permits it to execute the necessary actions on the specified resources.

Using the information from the error message, the IAM Policy will look like:

policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:eu-central-1::function:testFunction" ] } ] }

I've omitted my account number from the function arn for security purposes.

If you want to be more broad with the permissions, you could use the * symbol, for instance:

  • an Action of lambda:* grants permission to execute all lambda actions
  • an Action of lambda:Invoke* grants permissions to execute lambda actions that start with Invoke
  • a Resource of arn:aws:lambda:*:12345678:function:* applies the Action to all lambda functions, in all regions in the account.
Keep in mind that it's always a best practice to grant the least permissions, that allow you to get the job done.

Once we have the IAM policy with the necessary permissions, we can attach it to the IAM entity, in this case a user:

shell
aws iam put-user-policy --user-name tester --policy-name InvokeLambda --policy-document file://policy.json

attach policy to user

Now that the IAM policy is attached to the user, let's try to invoke the lambda function again:

with policy attached

With the policy attached, the AWS CLI request is successful and no longer throws the AccessDeniedException error.

To view the policies attached to a user, we can run the list-user-policies command:

shell
aws iam list-user-policies --user-name your_username

list user policies

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee