AWS Lambda designer not showing function roles

Question

I'm creating a Lambda function in AWS with an execution role that allows access to Step functions, Cloudwatch, SES and SNS. This is what the role looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ses:*",
                "states:*",
                "sns:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

I would expect to see something like this:

But instead I see non of the permissions show up.

In IAM I also see a problem pop up: "This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition." Perhaps this has to do with it?

To be clear, this does cause lambda to through an error: User: arn:aws:sts::331730032056:assumed-role/emailapprove-LambdaStateMachineExecutionRole-154HYVZP76DJ/hrlOQvSgKVkdGQCZFrkTZYFPFNiQZlkf is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:331730032056:function:catreminder-sms (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 3bf201d7-30be-4922-bfef-3d0b26e443ce) — Herman

cathal aherne cathal aherne · Accepted Answer · 2019-12-24T15:20:54

Due to the recent addition of "destinations" within Lambda, as far as I can tell, Lambda no longer displays services that Lambda has access to. The best way to make sure you have permissions to access these resources, would be use a site such as this to generate the IAM permissions, and in then access the Role linked used by your Lambda function, found under "Execution role" in the console.

AWS Lambda designer not showing function roles

2 Answers