In order to solve the `AccessDeniedException` error, grant permissions to the IAM entity to perform the necessary actions on the specified resources.

Solve AccessDeniedException (Not Authorized) Error - AWS CLI


## Solve the AccessDeniedException Error in AWS CLI

**The reason the `AccessDeniedException` error occurs in AWS CLI is because
we're trying to execute a command, without having the necessary IAM
permissions.**

In this example I try to invoke a lambda function with a profile that doesn't
have the necessary permissions and get the `AccessDeniedException` error:

![access denied exception error](/images/blog/aws-cli-access-denied-exception-not-authorized/access-denied-exception-error.webp)

<Alert>
  The error message contains information regarding what permissions the IAM
  entity is lacking.
</Alert>

In this case, the user is not authorized to perform the `lambda:InvokeFunction`
action on the lambda function with the specified arn.

**In order to solve the `AccessDeniedException` error in AWS CLI, we have to
attach a policy to the IAM entity, which permits it to execute the necessary
actions on the specified resources**.

Using the information from the error message, the IAM Policy will look like:

```json:policy.json
{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "lambda:InvokeFunction"
        ],
        "Resource": [
          "arn:aws:lambda:eu-central-1::function:testFunction"
        ]
      }
    ]
}
```

I've omitted my account number from the function arn for security purposes.

If you want to be more broad with the permissions, you could use the `*` symbol,
for instance:

- an `Action` of `lambda:*` grants permission to execute all lambda actions
- an `Action` of `lambda:Invoke*` grants permissions to execute lambda actions
  that start with `Invoke`
- a `Resource` of `arn:aws:lambda:*:12345678:function:*` applies the `Action` to
  all lambda functions, in all regions in the account.

<InArticleAd />

<Alert>
  Keep in mind that it's always a best practice to grant the least permissions,
  that allow you to get the job done.
</Alert>

**Once we have the IAM policy with the necessary permissions, we can attach it
to the IAM entity, in this case a user:**

```bash:shell
aws iam put-user-policy --user-name tester --policy-name InvokeLambda --policy-document file://policy.json
```

![attach policy to user](/images/blog/aws-cli-access-denied-exception-not-authorized/attach-policy-to-user.webp)

Now that the IAM policy is attached to the user, let's try to invoke the lambda
function again:

![with policy attached](/images/blog/aws-cli-access-denied-exception-not-authorized/with-policy-attached.webp)

With the policy attached, the AWS CLI request is successful and no longer throws
the `AccessDeniedException` error.

To view the policies attached to a user, we can run the `list-user-policies`
command:

```bash:shell
aws iam list-user-policies --user-name your_username
```

![list user policies](/images/blog/aws-cli-access-denied-exception-not-authorized/list-user-policies.webp)

<InArticleAd />

## Further Reading

- [AWS CDK Tutorial for Beginners - Step-by-Step Guide](/blog/aws-cdk-tutorial-typescript)
- [How does AWS CDK work](/blog/how-does-aws-cdk-work)
- [What is a Token in AWS CDK](/blog/what-is-aws-cdk-token)
- [CDK Constructs - Complete Guide](/blog/cdk-constructs-tutorial)
- [What is an identifier (id) in AWS CDK](/blog/aws-cdk-identifiers)
- [How to use Context in AWS CDK](/blog/how-to-use-context-aws-cdk)
- [How to use Parameters in AWS CDK](/blog/aws-cdk-parameters-example)

<InArticleAd />


Solve AccessDeniedException (Not Authorized) Error - AWS CLI

Solve the AccessDeniedException Error in AWS CLI #

Further Reading #

Borislav Hadzhiev

For more articles, navigate to myHome Page

Solve AccessDeniedException (Not Authorized) Error - AWS CLI

Solve the AccessDeniedException Error in AWS CLI #

Further Reading #

Join my newsletter

Borislav Hadzhiev

For more articles, navigate to myHome Page