Open monasserymcp opened 1 week ago
Update : I fixed this issue by updating the Policy as follows :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:GetAlias",
"lambda:GetFunctionConfiguration",
"lambda:PublishVersion",
"lambda:UpdateFunctionConfiguration",
"lambda:CreateAlias",
"lambda:UpdateAlias"
],
"Resource": [
"arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx",
"arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx:*",
]
"Effect": "Allow"
}
]
}`
Seems like there aliases or versions created based on the ARN of my lambda function , so the wildcard "*" covers all of them
hi @monasserymcp 👋 thanks for sharing!
That makes sense and we should probably update the Resource
documentation to clarify this.
Currently, it says:
The
Resource
used in IAM policies; it's*
by default but you could restrict it to a prefix or a specific function ARN.
In practice, you can't use just a function ARN. The description could say something like this:
The
Resource
used in IAM policies; it's*
by default but you could restrict it to a prefix or a specific function. In case of a specific function, make sure to include its versions/aliases as well with a wildcard.
Would that make sense to you?
Yes, Perfect
After deploying the aws power tuning in my account and trying to execute it,The Initializer step fail with the following error
"cause": { "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::xxxxxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxx xxxxx:function:xxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action", "trace": [ "AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action",
{ lambdaResource:"arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx", securityGroupIds:"sg-xxxxxxxxxxx", subnetIds:"subnet-xxxxxxxxxxxxxxx" ...... rest are default values }
{ "lambdaARN": "arn:aws:lambda:xxxxxx:xxxxxxxx:function:xxxxxxx", "powerValues": [ 128, 256, 512, 1024, 2048, 3008 ], "num": 10, "payload": "{}", "parallelInvocation": true, "strategy": "balanced" }