Generate IAM permissions for invoking lambda from lambda

aarbrown · September 20, 2016, 12:21am

Hello,

I am very new to the Serverless framework. I tried to invoke a lambda function created in the serverless framework from another serverless framework lambda function (using the aws sdk) and I received an error along the lines of “… is not authorized to perform: lambda:InvokeFunction on resource: …”.

It seems like this is something I’d setup in the serverless.yml file, but I’m just not sure what I should be doing.

Any help is much appreciated.

Adrian · September 20, 2016, 12:35am

I just ran into something similar with api-gateway to lambda to dynamodb. So I went into my AWS console and found the role serverless created (in the IAM console) and attached an admin policy to it (just for testing purposes) and cleared it up.
I too would think this could be configurable but haven’t quite figured it out. Still finding my way around as well. Examples would be great.

rowanu · September 20, 2016, 3:11am

Just watch out with that Adrian, as you might have issues/errors when removing the service that you’ve modified manually since resources are managed by CloudFormation in the background.

Ideally you would give you functions more IAM permissions. Here’s what I have to allow my functions to call each other:

provider:
  ...
  iamRoleStatements:
    - Effect: Allow
      Action:
        - lambda:InvokeFunction
        - lambda:InvokeAsync
      Resource: "*"

This way the permissions are managed by CFN, and will be cleaned-up for you (and in the right order) so you don’t get any surprises.

aarbrown · September 20, 2016, 12:59pm

Thank you @rowanu! That worked beautifully. I am very quickly learning that I need to learn a lot more about CFN in order to get the most out of this framework (and AWS, frankly)

Adrian · September 20, 2016, 10:51pm

I agree. I had not seen the lambda yaml for working with DynamoDB, when I tried some I did find out on the web I was having no luck. So thanks, I’ll refactor.

Is there a good place in the docs to see these examples? Or am I missing it?

Adrian · September 20, 2016, 10:54pm

NM … I found this https://serverless.com/blog/serverless-v1-0-beta-release-2/
Sorry, getting there slowly.
Works great.

mattdamon108 · January 24, 2019, 5:53am

Thanks! Works like charms.

HarryCaveMan · January 8, 2020, 5:37pm

using Resource: "*" in your policies often represents a security risk. You should probably use something more granular and specify a sourceArn specific to the lambda you would like to be allowed to invoke.

kilgarenone · May 29, 2020, 6:35am

I would like to avoid doing Resource: "*", but I have no idea how to write out the granular role/resource in Cloudformation syntax in my serverless.yml…

Topic		Replies	Views
Granting access for one function to use another Serverless Framework	3	2461	June 3, 2017
Per-function IAM permissions? Serverless Framework aws	3	1611	October 12, 2016
How it works iamRoleStatements configuration section? Serverless Framework aws	6	24573	November 19, 2019
Get Lambda Arn into Type: AWS::Lambda::Permission Serverless Framework	2	1046	December 6, 2019
IAM permissions boundary support Serverless Framework aws , security , cloudformation , iam	3	4863	August 30, 2020

Generate IAM permissions for invoking lambda from lambda

Related Topics