AccessDeniedException when deploying the lambda function

0
votes

I am trying to create the lambda function in aws through the AWS command.When I am executing the command, getting the below error. But the role which I've mentioned in the AWS command has enough permission in order to deploy the lambda function.I'm not sure what went wrong even though role has permission.

Command:

aws lambda create-function --function-name ukmon-appd-disabled- 
health-rules --runtime python3.7 --zip-file 
fileb://bin/disabled_health_rules.zip --handler index.handler --timeout 10 - 
-memory-size 1024 --role arn:aws:iam::99999999999:role/crossaccount

Policies:

"AllowLambdaFunctionStack": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "Description": "Policy for allowing jenkins cross account service role to create, update, delete lambda functions.",
        "Path": "/",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "lambda:InvokeFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:ListFunctions",
                "lambda:UpdateFunctionCode",
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:GetAlias",
                "lambda:ListAliases",
                "lambda:UpdateAlias",
                "lambda:GetPolicy",
                "lambda:InvokeAsync",
                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:ListEventSourceMappings",
                "lambda:DeleteEventSourceMapping",
                "lambda:UpdateEventSourceMapping",
                "lambda:TagResource",
                "lambda:ListTags",
                "lambda:UntagResource"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:lambda:eu-west-1:999999999999:function:crossaccount-*",
              "Sid": "AllowLambdaFuctionsStacks"
            }
          ]
        },

Error:

An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:sts::999999999999:assumed-role/crossaccount/i-0d2dd689c2784f174 is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:eu-west-1:999999999999:function:ukmon-appd-disabled-health-rules

Thanks in advance.

1
amazon-web-servicesaws-lambda
Can you share the policy? - Deiv
okay. I will update it in the question - lalithkumar
I have updated @Deiv - lalithkumar

1 Answers

3
votes

I think you are mixing up IAM roles in your question. The IAM role you are passing to the create-function AWS CLI call is the role that the Lambda service will assume at runtime : i.e. the permissions you are giving to your lambda function at runtime.
To be authorised to make the aws lambda create-function CLI call, your environment must have the CreateFunction authorisation.

But in case you are not mixing up roles, there is a problem in your policy. It authorises all the listed API calls on Lambda resources complying to

"Resource": "arn:aws:lambda:eu-west-1:999999999999:function:crossaccount-*",

The lambda function you're trying to create is named ukmon-appd-disabled- health-rules Only functions name starting with crossaccount- will be authorized.