'AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"

When I have my IAM Policy for my lambda execution role set to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

I get this error:

[AccessDeniedException: User:
arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail
is not authorized to perform: 
lambda:GetFunction on resource:
arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]

However, when I set the policy to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

The error is gone... What else do I need to add?



Solution 1:[1]

Figured it out. Apparently the SDK uses "lambda:GetFunctionConfiguration" as well. Once I included that it all worked.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Solution 2:[2]

For anyone getting this error after the alexa.design/cli tutorial,

ASK_CLI_USER is not authorized to perform: lambda:GetFunction on resource

The issue for me was not "lambda:GetFunctionConfiguration" but instead the Resource line below it due to the "ask-" prefix:

"Resource": "arn:aws:lambda:*:*:function:ask-*"

Changing it to this solved my issue:

"Resource": "arn:aws:lambda:*:*:function:*"

Solution 3:[3]

Post 2022

The solution is as CamHart said, but there is a twist.

They apparently renamed these permissions. You must now use lambda:InvokeFunction and lambda:InvokeFunctionConfiguration instead of lambda:GetFunction and lambda:GetFunctionConfiguration

Exemple

JSON

"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "lambda:GetFunction",
      "lambda:GetFunctionConfiguration"
    ],
    "Resource": [
      "*"
    ]
  }
]

YAML

Statement:
- Effect: Allow
  Action:
  - lambda:InvokeFunction
  - lambda:InvokeFunctionConfiguration
  Resource: '*'

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 CamHart
Solution 2 ZachNag
Solution 3 AirOne