AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

The AWSLambdaExecute and AWSLambdaBasicExecutionRole do not provide the permissions that are being expressed in the error. Both of these managed policies are designed to be attached to your Lambda function itself, so it runs with these policies.

The error is saying the user under which the nodejs program is running does not have rights to start the Lambda function.

You need to give your IAM user the lambda:InvokeFunction permission:

  1. Find your User in the IAM Management Console and click it.
  2. On the "Permissions" tab, expand the "Inline Policies" section and click the "click here" link to add a policy".
  3. Select a "Custom Policy".
  4. Give your policy a name. It can be anything.
  5. Put this policy in the Policy Document field.

Sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1464440182000",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeAsync",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

In this policy, I have included both methods to invoke lambda methods.

Update:

There is now also an IAM Managed Policy named AWSLambdaRole that you can assign to your IAM user or IAM role. This should give you the permissions you need.


I'm using Serverless framework, and I had to also add arn:aws:lambda as a resource in my serverless.yml in order to use lambda.invoke.

 iamRoleStatements:
    - Effect: Allow
      Action:
        - dynamodb:DescribeTable
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - lambda:InvokeFunction # Added this like mentioned above
      Resource:
        - arn:aws:dynamodb:us-east-1:*:*
        - arn:aws:lambda:us-east-1:*:* # Had to add this too

This solution worked for me:

  1. Attaching AWSKeyManagementServicePowerUser policy from the policy list (without that I got an error on "iam:listRole")

  2. Adding lambda:ListFunctions to the custom policy defined by @Matt Houser

    { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1464440182000", "Effect": "Allow", "Action": [ "lambda:InvokeAsync", "lambda:InvokeFunction", "lambda:ListFunctions" ], "Resource": [ "*" ] } ] }

Tags:

Amazon Web Services

Amazon Iam

Aws Lambda

Recent Posts