A really strange bug that has me floored! 🤦🏽‍♂️ (permissions with "assumed role"?)

So I’ve been trying to crack open this bug for the past ~6 hours or so. Extremely frustrated and confused. Sorry I can’t add all the images right in this post due to being a new user.

When I run the function using sls invoke local:


Everything runs fine. The files upload to S3, data is added to the appropriate DynamoDB table, and a certificate is created within IOT.

Now let’s try invoking that same function using sls invoke:

Imgur

Nothing happens. Nothing shows up in S3, DynamoDB, or IOT.

Now, I’ve tried everything.

What’s really strange to me is that I have a user called “assumed-role” which initially had one permission (assuming other users roles via “sts:AssumeRole”. But since this bug, I expanded the permissions to everything. Still getting the error with this policy too:

Imgur

Now I’m not even sure why the"assumed-role" user is coming into this error at all, since according to Lambda, the execution role is the execution role which serverless creates for us:

Imgur

Even if I try executing the function from within the AWS Lambda console, I get the same strange error.

The permissions allow for all “iot:*” actions to be allowed (and we know this policy should work since the local function is being invoked)

Can anyone please help me here? I’ve literally tried everything.

Edit: I mean I’ve deleted my assume-role user from the IAM console, and even then, still getting the same error. SOS.

Edit 2: OK, I think I’m getting this. Since Lambda has permissions for stuff, how do I make it so that the assumed version of Lambda has permissions to these actions?

BTW for the “assumed-role” user I followed the following steps via the aws-cli in order to do some local testing: aws-cli fails to acquire session token before issuing sts:AssumeRole call · Issue #2279 · aws/aws-cli · GitHub

But I don’t think that has anything to do with it.

The Lambda execution role does have complete “iot:*” access:
image

Lambda is even a trusted relationship.

Really confused by this :frowning:

The logs you show in your first screenshot show a lot more than just IoT actions going on - do you know that your function has all the required permissions (e.g. to access S3, the DB, ACM, etc)?

You haven’t mentioned or shown CloudWatch Logs in any of your details - have you check the function’s log output to see exactly where the permission error is being hit?