Granting access for one function to use another

Hi all,

I know this is probably a basic question, but I couldn’t find it in the docs, and it seems so fundamental.

When I try to invoke one function from another, I get a permission denied error.

Function:

          var invocationParams = {
               FunctionName: '<function-name>',
               InvocationType: 'RequestResponse',
               LogType: 'Tail',
               Payload: <some-data>
          };

     lambda.invoke(invocationParams, function(err, data) {
          if (err) {
              context.fail(err);
          } else {
              context.succeed('Success '+ data.Payload);
          }
     })

Error:

"errorMessage": "User: arn:aws:sts::<lots-of-stuff> is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:<more-stuff>",
"errorType": "AccessDeniedException",

I assume this is something that needs to go in my serverless.yml file, but…what and where? I’m a noob to serverless and cloudformation so I’m a bit lost in the AWS docs.

Any help would be greatly appreciated

Thanks
Justin

In case anyone else has this question later, or if anyone has improvement suggestions ("*" probably isn’t exactly secure), this is how I solved the problem:

provider:
  name: aws
  runtime: nodejs4.3
  iamRoleStatements: # permissions for all of your functions can be set here
    - Effect: Allow
      Action: # Gives permission to Lambda Invoke 
        - lambda:InvokeFunction
      Resource: "*"

You probably want to replace Resource: "*" with just the Lambda functions you want to allow executed. That follows the principle of least privilege which could save you in the event that something goes wrong.

Hey, where is lambda defined at? I’m trying to figure out how to do this.