If you find yourself with an issue that the API Gateway cannot invoke your lambda due to an access denied issue:
AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/xxxxxx-EDS-API-Gateway-TaskDef-use1-PreProduction/b8884262-4cdd-4ee1-84a7-7676d1d5b914 is not authorized to perform: lambda:InvokeFunction on resource: YOUR_LAMBDA_ARN status code: 403, request id: 3e61d932-968e-4d15-b84e-b3eb61f0a30b
You can add a permission to your Lambda that will allow cross acount access:
LambdaInvokePermissionPreProd:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: YOUR_LAMBDA_ARN HERE
Principal: AN_ACCOUNT_ID_HERE
LambdaInvokePermissionProd:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: YOUR_LAMBDA_ARN HERE
Principal: ANOTHER_ACCOUNT_ID_HEREThis is actually adds a function policy to your lambda which controls who can access your lambda. This is not to be confused with the Lambda role in which the lambda executes, ie the execution policy which only controls what the lambda itself can or can not access.
Actually it might be easier to see the whole file, right?
# Welcome to Serverless!
#
# This file is the main config file for your service.
# It's very minimal at this point and uses default values.
# You can always add more config options for more control.
# We've included some commented out config examples here.
# Just uncomment any of them to get that config option.
#
# For full config options, check the docs:
# docs.serverless.com
#
# Happy Coding!
# Trigger
service: MyService
package:
individually: true
provider:
name: aws
region: \({file(config/config.yml):region}
role: LambdaRole
vpc:
securityGroupIds:
- Ref: LambdaSecurityGroup
subnetIds: \){file(config/config.yml):subnetIds}
functions:
NotifyPW:
handler: Lambda::MyService.Functions::Get
runtime: dotnetcore2.0
package:
artifact: 'artifact-Deploy.zip'
events:
- http:
path: get
method: get
environment:
ENVIRONMENT: '\({file(config/config.yml):shortenvironment}'
resources:
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: 204992-MyService-\){file(config/config.yml):shortenvironment}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: 204992-MyService-\({file(config/config.yml):shortenvironment}-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- "sqs:*Queue*"
- "sqs:*Message*"
Resource:
- "arn:aws:sqs:us-east-1:*"
Effect: Allow
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- logs:DescribeLogStreams
Resource:
- arn:aws:logs:*:*:*
Effect: Allow
- Action:
- "sqs:SendMessage"
- "sqs:ReceiveMessage"
Resource:
- "arn:aws:sqs:us-east-1:*:*"
Effect: Allow
- Action:
- 'ec2:CreateNetworkInterface'
- 'ec2:DescribeNetworkInterfaces'
- 'ec2:DeleteNetworkInterface'
Resource: '*'
Effect: Allow
- Action:
- 'events:*Rule*'
Resource: '*'
Effect: Allow
- Action:
- 'lambda:InvokeFunction'
Resource: '*'
Effect: Allow
LambdaSecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: '204992 MyService Security Group'
VpcId: \){file(config/config.yml):vpcId}
LambdaInvokePermissionEdpPreProd:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: YOUR_LAMBDA_ARN
Principal: AN_ACCOUNT_ID_HERE
LambdaInvokePermissionEdpProd:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: YOUR_LAMBDA_ARN
Principal: ANOTHER_ACCOUNT_ID_HERE