AccessDeniedException (Not Authorized) Error - AWS CLI


Borislav Hadzhiev

Last updated: Sep 17, 2021


Photo from Unsplash

AccessDeniedException (Not Authorized) Error - AWS CLI #

The reason the AccessDeniedException error occurs in AWS CLI is because we're trying to execute a command, without having the necessary IAM permissions.

In this example, I try to invoke a lambda function with a profile that doesn't have the necessary permissions and get the AccessDeniedException error:

access denied exception error

The error message contains information regarding what permissions the IAM entity is lacking.

In this case, the user is not authorized to perform the lambda:InvokeFunction action on the lambda function with the specified ARN.

In order to solve the AccessDeniedException error in AWS CLI, we have to attach a policy to the IAM entity, which permits it to execute the necessary actions on the specified resources.

Using the information from the error message, the IAM Policy will look like:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:eu-central-1::function:testFunction" ] } ] }

I've omitted my account number from the function ARN for security purposes.

If you want to be broader with the permissions, you could use the * symbol, for instance:

  • an Action of lambda:* grants permission to execute all lambda actions
  • an Action of lambda:Invoke* grants permissions to execute lambda actions that start with Invoke
  • a Resource of arn:aws:lambda:*:12345678:function:* applies the Action to all lambda functions, in all regions in the account.
Keep in mind that it's always a best practice to grant the least permissions, that allow you to get the job done.

Once we have the IAM policy with the necessary permissions, we can attach it to the IAM entity, in this case, a user:

aws iam put-user-policy --user-name tester --policy-name InvokeLambda --policy-document file://policy.json

attach policy to user

Now that the IAM policy is attached to the user, let's try to invoke the lambda function again:

with policy attached

With the policy attached, the AWS CLI request is successful and no longer throws the AccessDeniedException error.

To view the policies attached to a user, we can run the list-user-policies command:

aws iam list-user-policies --user-name your_username

list user policies

Further Reading #

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.