AWS Lambda credentials from the execution environment do not have the execution role's permissions

2
votes

I am deploying an AWS lambda function (with nodejs 12.x) that executes an AWS command ("iot:attachPrincipalPolicy") when invoked. I'm taking the credentials to run this command from the lambda execution environment variables.

  const AWS = require('aws-sdk/global');

  const region = process.env['AWS_REGION'];
  const accessKeyId = process.env['AWS_ACCESS_KEY_ID'];
  const secretAccessKey = process.env['AWS_SECRET_ACCESS_KEY'];

  AWS.config.region = region;
  AWS.config.credentials = new AWS.Credentials(accessKeyId, secretAccessKey);

  // attachPrincipalPolicy command from the AWS SDK here

When I test the function locally (with sam local start-api) it runs successfully, because in my AWS CLI I have set the ACCESS_KEY_ID and secret of my administrator account.

However when I deploy the function and invoke it the lambda fails on that command with a client error (the credentials are not valid), even when I give full admin access also to the lambda's execution role.

enter image description here

Here I gave full permissions in an inline policy and I also explicitly added the pre-defined admin access policy too.

I expected the AWS_ACCESS_KEY_ID that you get from the environment variables to grant me all the permissions that I have set in the lambda function's execution role but it looks like the privilege that I grant to the execution role are not reflected in these credentials.

Is my assumption wrong? Where do these credentials come from and how can I find out what they allow me to do?

1
node.jsamazon-web-servicesaws-lambdaamazon-iamaws-sam
Have you tried deleting all that code and just letting the AWS SDK do what it does by default to pick up the credentials assigned to the runtime environment? You're probably missing an STS token or something in the credentials. It is so much easier to just let the SDK do all this for you, which it does by default, instead of trying to re-invent the credentials lookup in your own code. - Mark B

1 Answers

6
votes

The Lambda execution runtime will provide your function invocation with a temporary session token (not a persistent/permanent access key / secret access key).

Behind the scene, the Lambda Service will use the AWS Security Token Service (AWS STS) to assume the Lambda execution role of your Lambda function. This is why you must also add the Lambda Service principal as a trusted service principal in the trust policy of your execution role. And the result of this is a temporary session.

The credentials for this temporary session are stored in a combination of the environment variables AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID and AWS_SESSION_TOKEN.

You should however not need to configure/specify any credentials manually, as the default credentials loader chain in the AWS SDK takes care of this automatically.