Serverless framework Lambda AppSync error - aws-lambda

I'm using the serverless framework to upload an AWS Lambda function to be used as a data source in AppSync. The serverless.yml that I have is very basic:
service: mongoose-lambda-srvrls
provider:
name: aws
runtime: nodejs6.10
region: us-west-2
functions:
mongoose:
handler: index.handler
When I run an AppSync GraphQL query I get the error:
{
"data": {
"getPost": null
},
"errors": [
{
"path": [
"getPost"
],
"data": null,
"errorType": "Lambda:AWSLambdaException",
"errorInfo": null,
"locations": [
{
"line": 43,
"column": 2
}
],
"message": "User: arn:aws:sts::433333333335:assumed-role/appsync-datasource-lam-kkzuep-mongoose-lambda-srvr/APPSYNC_ASSUME_ROLE is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:43333333333335:function:mongoose-lambda-srvrls-dev-mongoose (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 9fa82eb9-3a64-11e8-88a1-09c4e639fc45)"
}
]
}
I'm pretty sure that I need to flesh out my YML so that this lambda stack will play nice with AppSync but I'm not quite sure what to do.
A little more info. When looking at the resources in Lambda's CloudFormation, I see:
IamRoleLambdaExecution mongoose-lambda-srvrls-dev-us-west-2-lambdaRole AWS::IAM::Role
MongooseLambdaFunction mongoose-lambda-srvrls-dev-mongoose AWS::Lambda::Function
MongooseLambdaVersionwCQ1... arn:aws:lambda:us-west-2:4542242445:function:mongoose-lambda-srvrls-dev-mongoose:4 AWS::Lambda::Version
MongooseLogGroup /aws/lambda/mongoose-lambda-srvrls-dev-mongoose AWS::Logs::LogGroup
ServerlessDeploymentBucket mongoose-lambda-srvrls-d-serverlessdeploymentbuck-qwp8sdfgjr AWS::S3::Bucket
Whereas in the Lambda that I made using the AppSync docs (AWS CLI) has the following CloudFormation resources:
AppSyncLambdaInvokePolicy Fulls-AppS-15SHASDFSADZ03N AWS::IAM::Policy
AppSyncServiceRole Fullstack-Lamba-AppSyncServiceRole-DK8QHASDFE5R AWS::IAM::Role
LambdaExecutionRole Fullstack-Lamba-LambdaExecutionRole-OJHASDF3AHG1 AWS::IAM::Role
LambdaFunction fullstack-lambda AWS::Lambda::Function

It looks like the role you gave AppSync to run the lambda function does not have permission to invoke that particular lambda.
You will need to create or modify a role so it has the following permissions.
The IAM role should have a policy which enables anybody who assumes it to run/invoke your lambda function:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:Invoke"
],
"Resource": "arn:aws:lambda:REGION:ACCOUNTNUMBER:function/LAMBDA_FUNCTION"
}
]
}
The role should also have a trust policy. This trust policy will allow AppSync to assume the role on your behalf. This is how AppSync invokes your lambda whenever a graphQL request comes in.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Once you have an IAM role with necessary permissions, you will need to make sure it is associated with the lambda data source in AppSync. You can select the role in the Data Sources section of the AppSync console or use the AppSync CLI to update the lambda data source and make it use your role.
For more information about creating a lambda function which plays nice with AppSync, here is the documentation: https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html#configure-data-source-for-aws-lambda

I think they made a mistake in the https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-lambda-resolvers.html#configure-data-source-for-aws-lambda documentation.
The allowed action should be lambda:InvokeFunction and NOT lambda:Invoke
This is working:
{
"Version" : "2012-10-17",
"Statement" : [{
"Effect" : "Allow",
"Action" : "lambda:InvokeFunction",
"Resource" : "arn:aws:lambda:REGION:ACCOUNTNUMBER:function/LAMBDA_FUNCTION"
}]
}

Related

AWS Lambda - (AccessDeniedException) when calling the Scan operation User is not authorized to perform: dynamodb: Scan

I try to access dynamodb via boto3 (Python) in AWS. Got this working on my local machine. As I understand in AWS running, it just uses IAM roles to get access. But it does not work.
Lambda execution failed with status 200 due to customer function error: An error occurred (AccessDeniedException) when calling the Scan operation:
User: arn:aws:sts::021517822274:assumed-role/CodeStar-tt-api-subjects-Execution/
awscodestar-tt-api-subjects-lambda-HelloWorld is not authorized to perform: dynamodb:
Scan on resource: arn:aws:dynamodb:us-east-1:021517822274:table/tt-subjects.
Quite the same question was send here:
How to solve (AccessDeniedException) when calling the Scan operation: User: arn:aws:sts... is not authorized to perform: dynamodb:Scan on resource.."?
And I applied the suggested AmazonDynamoDBFullAccess policy. Tried also those:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_specific-table.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_lambda-access-dynamodb.html
My own added policy (in addition) is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Action": [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": "*"
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/tt-subjects"
}
]
}
But I still got the same error.
Does it take a long time to apply the policies or what may still cause that?
Now I found the answer. As I created my lambda with codestar, it also created a permission boundary.
How to solve this issue:
remove the boundary (not recommended)
extend the boundary, like this:
Edit the boundary of your lambda:
Open console for Lambda
Go to tab configuration
In Execution Role, open the link to your role
Now you are in IAM role editor. Scroll down to Permission boundary
Copy that name (there is no link)
Go in IAM menu to Policies
Search for the copied name
Edit (extend) the policy.
In my case regarding dynamodb, I scrolled down to sid 6 (might differ for you). It is an Allow block with many simple entries and a * as resource.
So I extended this block with dynamodb entries. Now it looks like this:
...
{
"Sid": "6",
"Effect": "Allow",
"Action": [
"apigateway:GET",
"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"ec2:Describe*",
"lambda:ListFunctions",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:PutLogEvents",
"sns:Get*",
"sns:List*",
"sns:Publish",
"sns:Subscribe",
"xray:Put*",
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem",
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": [
"*"
]
},
...
Many thanks to the contributors helped me!

User is not authorized to perform: iam:CreatePolicy on resource: policy AWSLambdaBasicExecutionRole?

Logged in as IAM user and trying to create lambda function but seeing below error, what is missing her?
User: arn:aws:iam::123334324324234:user/abx.dsd#rr.com is not authorized to perform: iam:CreatePolicy on resource: policy AWSLambdaBasicExecutionRole-e3e28520-4b65-439e-a006-24de73479562
When you create a AWS Lambda in the AWS Console a few things are done in the background by AWS. One such thing is creating a role/policy for your Lambda automatically.
To do so, your user (arn:aws:iam::123334324324234:user/abx.dsd#rr.com) needs the iam:CreatePolicy permission.
This is something a account administrator can fix for you.
adding iam:CreateRole is not enough, you need to add also several other permissions to the user, something like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:PutRolePolicy"
],
"Resource": "*"
}
]
}
Note. I am not sure that all these policies are required.

Assigned function policy to lambda which allows all CloudWatch Events rule to invoke lambda?

I used the above CLI command but got an error in the console, please find the attached screenshot of the error
Please find below function policy of lambda:
{ "Version": "2012-10-17", "Id": "default", "Statement": [
{
"Sid": "events-access",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:096280016729:function:leto_debug_log",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:us-east-1:096280016729:rule/*"
}
}
} ] }
I followed the answer from the below link but still got an error:
Allow all cloudwatch event rules to have access to lambda function
Perhaps a clue to this, is that a CloudWatch Event rule name of * does not appear to be valid. For example, if you try to delete this rule in the AWS lambda console area, you will get an error like this on the trigger UI area:
It would be nice if this approach was formally supported in some way, but I don't think it is. idk

CloudFormation - Unable to import lambda arn in DefinitionString for StepFunctions StateMachine

I am creating StepFunctions which reference a Lambda function created in separate cloudformation stack.
I exported the Lambda arn to CloudFormation export.
And I would like to achieve to reference that Lambda function from the StepFunctions by importing exported value.
Here is my cloudformation snippet.
StepFunction:
Type: 'AWS::StepFunctions::StateMachine'
Properties:
RoleArn: !GetAtt IamRole.Arn
DefinitionString:
Fn::Sub:
- |-
{
"StartAt": "MessageGenerator",
"States": {
"MessageGenerator": {
"Comment": "generate queue message.",
"Type": "Task",
"Resource": "${LambdaMessageGenerator}",
"ResultPath": "$",
"OutputPath": "$",
"Next": "WaitSeconds"
},
...
}
}
- LambdaMessageGenerator:
Fn::ImportValue: some-export-name
I made this by following the answer bellow.
Cloudformation - Unable to Import resource
However, aws cloudformation deploy command failed and I got the following error.
Invalid State Machine Definition: 'SCHEMA_VALIDATION_FAILED: Value is not a valid resource ARN at /States/MessageGenerator/Resource' (Service: AWSStepFunctions; Status Code: 400; Error Code: InvalidDefinition; Request ID: 01713d53-4605-11e9-9cf3-c15ff9ce09ae)
Could someone please help me?
Try using this line:
"Resource": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${LambdaFunctionName}"
In this case you only have to pass the name of the lambda function.
Why don't you just use the short form of the ImportValue function?
DefinitionString:
Fn::Sub:
- |-
{
"StartAt": "MessageGenerator",
"States": {
"MessageGenerator": {
"Comment": "generate queue message.",
"Type": "Task",
"Resource": "${LambdaMessageGenerator}",
"ResultPath": "$",
"OutputPath": "$",
"Next": "WaitSeconds"
},
...
}
}
- LambdaMessageGenerator: !ImportValue some-export-name

Using AWS lambda function to call lex chat bot

I am trying to use boto3 from within AWS lambda function in order to do post_text to a Lex chat bot.
Python code:
client = boto3.client('lex-runtime')
data = "string input"
response = client.post_text(
botName='xxx',
botAlias='yyy',
userId='id',
inputText= data)
but i get:
An error occurred (AccessDeniedException) when calling the PostText
operation: User: arn:aws:sts::111111111:assumed-
role/functionName/functionName is not authorized to perform: lex:PostText on
resource: arn:aws:lex:us-east-1:111111111:bot:xxx:yyyy"
So i set up IAM rule an and policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lex:PostText"
],
"Resource": [
"arn:aws:lex:us-east-1:111111111:bot:xxx:yyyy"
]
}
]
}
Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
But it still doesn't work and i get the same error.
I experienced the same issue recently.
It is most certainly related to the permissions assigned to the IAM role that you're using when running the Lambda function.
The easiest way to resolve this is below:-
Open the Lambda function on the AWS Console.
Scroll down to the "Execution role" section.
Click the link under the role to view the role in a new window. It
should look something like this: "View the role".
In the new window under the permissions tab click on "Attach
policies".
This takes you to a new screen. On this screen filter the listed
policies by typing in "lex" in the input field.
The filtered list will contain a policy call "AmazonLexRunBotsOnly".
Attach this policy to your role.
Save the changes and make your way back to your lambda function.
Save the lambda function and retest.
This will resolve your issue.

Resources