aws-lambda-power-tuning icon indicating copy to clipboard operation
aws-lambda-power-tuning copied to clipboard

Published 20 hours ago verified publisher icon alexcasalboni

Initializer step function is failing due to IAM error

Open monasserymcp opened this issue 1 year ago • 3 comments

After deploying the aws power tuning in my account and trying to execute it,The Initializer step fail with the following error

"cause": { "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::xxxxxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxx xxxxx:function:xxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action", "trace": [ "AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action",

  am deploying the app using AWS Serverless Application Repository (SAR) 
  While deploying I passed the following parameters

{ lambdaResource:"arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx", securityGroupIds:"sg-xxxxxxxxxxx", subnetIds:"subnet-xxxxxxxxxxxxxxx" ...... rest are default values }

Execution time Params

{ "lambdaARN": "arn:aws:lambda:xxxxxx:xxxxxxxx:function:xxxxxxx", "powerValues": [ 128, 256, 512, 1024, 2048, 3008 ], "num": 10, "payload": "{}", "parallelInvocation": true, "strategy": "balanced" }

I have verified that the required Policies are attached to the Initializer lambda step function 

`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:PublishVersion",
                "lambda:UpdateFunctionConfiguration",
                "lambda:CreateAlias",
                "lambda:UpdateAlias"
            ],
            "Resource": "arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx",
            "Effect": "Allow"
        }
    ]
}`

Note :

 setting the Resource to :"*" , is working fine , but what if I need to specify the least permission and only apply the poly on the lambda ARN only

monasserymcp avatar Oct 01 '24 12:10 monasserymcp