Tutorial leads to `is not authorized to perform: lambda:ListVersionsByFunction` error [Fix included in description]

[drewboardman]

With the lambda resource described in the tutorial, terraform encounters the following error:

╷
│ Error: reading Lambda Function (HelloWorld) latest version: operation error Lambda: ListVersionsByFunction, 
https response error StatusCode: 403, RequestID: 17d6bae4-1caa-47bb-8483-68d61e3e99fe, api error 
AccessDeniedException: User: arn:aws:iam::339712767340:user/dboardman is not authorized to perform: 
lambda:ListVersionsByFunction on resource: arn:aws:lambda:us-east-1:339712767340:function:HelloWorld because 
no identity-based policy allows the lambda:ListVersionsByFunction action

This is not alleviated by any of the IAM policies you can attach to your Group or User. For instance the AWSLambda_FullAccess contains the lambda:* permissions (all policy permissions). You still encounter the error.

I found a stack overflow thread that describes why this is the case.

Below is an addition that can be added to the example code (and hopefully the tutorial), that will correct this error.

resource "aws_iam_role_policy" "lambda_list_versions" {
  name = "lambda_list_versions"
  role = aws_iam_role.lambda_exec.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "lambda:ListVersionsByFunction"
        Effect = "Allow"
        Resource = "${aws_lambda_function.hello_world.arn}"
      }
    ]
  })
}

You can find this permission in IAM -> Roles -> serverless_lambda. You should see this lambda_list_versions permissions policy.

[drewboardman]

This approach seems safer than modifying an identity-based policy. It creates a separate resource-based policy document specifically granting lambda:ListVersionsByFunction and attaches it directly to the Lambda function itself.