7
votes

I have a very simple AWS Lambda function - just listing all my CloudWatch events:

import boto3

def lambda_handler(event, context):
    client = boto3.client("events")
    return client.list_rules()

However, when I try to run it (with an empty test event: {}), I am getting the following permissions exception:

An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName 
is not authorized to perform: events:ListRules 
on resource: arn:aws:events:eu-west-1:123321123321:rule/*

I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):

{
  "document": {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "BasicCloudWatchEventsManager",
        "Effect": "Allow",
        "Action": [
          "events:DescribeRule",
          "events:EnableRule",
          "events:PutRule",
          "events:ListRules",
          "events:DisableRule"
        ],
        "Resource": "arn:aws:events:*:*:rule/[*/]*"
      }
    ]
  },
  "name": "BasicCloudWatchEventsManager",
  "id": "SOME7LONG7ID",
  "type": "managed",
  "arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}

I've build the policy using the visual editor they provide, just changed the sid manually.

Any clues what might be missing?

1
Could be an SCP (if you're in an environment that uses AWS Organizations) or a permission boundary kicking in. Did you try policysim.aws.amazon.com to verify? - Michael Hausenblas
@MichaelHausenblas I run this on my own account, from the AWS interface - no policy boundaries set. Didn't know of policysim, but tried it now - denied Implicitly denied (no matching statements). - Faboor
Gotcha. When using the policy simulator, did you provide your resource ARN? - Michael Hausenblas
@MichaelHausenblas I didn't want to provide a specific ARN, because I want to list all my rules, even the ones I plan to create in the future. But when I tried with a specific arn, or changing to "Resource": "*" it worked - this has lead me to the answer I posted. Thanks for your help! The policysim was a great tip. - Faboor

1 Answers

10
votes

After a lot of frustration, I figured it out. In the visual policy editor, selecting the resource as any rule, adding and ARN and selecting "any" for all options will create add this line in the policy:

"Resource": "arn:aws:events:*:*:rule/[*/]*"

What this is meant to stand for is:

  • an events resource
  • in any (*) region
  • on any account
  • in any event bus, if the rule belongs to one (this is the [*/] part)
  • with any name

However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:

"Resource": "arn:aws:events:*:*:rule/*"

With this it works without issues.