Borislav Hadzhiev
Fri Sep 17 2021·2 min read
Photo by Artem Sapegin
The reason the AccessDeniedException
error occurs in AWS CLI is because
we're trying to execute a command, without having the necessary IAM
permissions.
In this example I try to invoke a lambda function with a profile that doesn't
have the necessary permissions and get the AccessDeniedException
error:
In this case, the user is not authorized to perform the lambda:InvokeFunction
action on the lambda function with the specified arn.
In order to solve the AccessDeniedException
error in AWS CLI, we have to
attach a policy to the IAM entity, which permits it to execute the necessary
actions on the specified resources.
Using the information from the error message, the IAM Policy will look like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:eu-central-1::function:testFunction" ] } ] }
I've omitted my account number from the function arn for security purposes.
If you want to be more broad with the permissions, you could use the *
symbol,
for instance:
Action
of lambda:*
grants permission to execute all lambda actionsAction
of lambda:Invoke*
grants permissions to execute lambda actions
that start with Invoke
Resource
of arn:aws:lambda:*:12345678:function:*
applies the Action
to
all lambda functions, in all regions in the account.Once we have the IAM policy with the necessary permissions, we can attach it to the IAM entity, in this case a user:
aws iam put-user-policy --user-name tester --policy-name InvokeLambda --policy-document file://policy.json
Now that the IAM policy is attached to the user, let's try to invoke the lambda function again:
With the policy attached, the AWS CLI request is successful and no longer throws
the AccessDeniedException
error.
To view the policies attached to a user, we can run the list-user-policies
command:
aws iam list-user-policies --user-name your_username