'AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"

When I have my IAM Policy for my lambda execution role set to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

I get this error:

[AccessDeniedException: User:
arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail
is not authorized to perform: 
lambda:GetFunction on resource:
arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]

However, when I set the policy to:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

The error is gone... What else do I need to add?

aws-lambdaamazon-iam


Solution 1:[1]

Figured it out. Apparently the SDK uses "lambda:GetFunctionConfiguration" as well. Once I included that it all worked.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

Solution 2:[2]

For anyone getting this error after the alexa.design/cli tutorial,

ASK_CLI_USER is not authorized to perform: lambda:GetFunction on resource

The issue for me was not "lambda:GetFunctionConfiguration" but instead the Resource line below it due to the "ask-" prefix:

"Resource": "arn:aws:lambda:*:*:function:ask-*"

Changing it to this solved my issue:

"Resource": "arn:aws:lambda:*:*:function:*"

Solution 3:[3]

Post 2022

The solution is as CamHart said, but there is a twist.

They apparently renamed these permissions. You must now use lambda:InvokeFunction and lambda:InvokeFunctionConfiguration instead of lambda:GetFunction and lambda:GetFunctionConfiguration

Exemple

JSON

"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "lambda:GetFunction",
      "lambda:GetFunctionConfiguration"
    ],
    "Resource": [
      "*"
    ]
  }
]

YAML

Statement:
- Effect: Allow
  Action:
  - lambda:InvokeFunction
  - lambda:InvokeFunctionConfiguration
  Resource: '*'

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 CamHart
Solution 2 ZachNag
Solution 3 AirOne

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function