Granting access for one function to use another

Hi all,

I know this is probably a basic question, but I couldn’t find it in the docs, and it seems so fundamental.

When I try to invoke one function from another, I get a permission denied error.

Function:

          var invocationParams = {
               FunctionName: '<function-name>',
               InvocationType: 'RequestResponse',
               LogType: 'Tail',
               Payload: <some-data>
          };

     lambda.invoke(invocationParams, function(err, data) {
          if (err) {
              context.fail(err);
          } else {
              context.succeed('Success '+ data.Payload);
          }
     })

Error:

"errorMessage": "User: arn:aws:sts::<lots-of-stuff> is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:<more-stuff>",
"errorType": "AccessDeniedException",

I assume this is something that needs to go in my serverless.yml file, but…what and where? I’m a noob to serverless and cloudformation so I’m a bit lost in the AWS docs.

Any help would be greatly appreciated

Thanks
Justin

In case anyone else has this question later, or if anyone has improvement suggestions ("*" probably isn’t exactly secure), this is how I solved the problem:

provider:
  name: aws
  runtime: nodejs4.3
  iamRoleStatements: # permissions for all of your functions can be set here
    - Effect: Allow
      Action: # Gives permission to Lambda Invoke 
        - lambda:InvokeFunction
      Resource: "*"
2 Likes

You probably want to replace Resource: "*" with just the Lambda functions you want to allow executed. That follows the principle of least privilege which could save you in the event that something goes wrong.

1 Like

Hey, where is lambda defined at? I’m trying to figure out how to do this.