Initializer step function is failing due to IAM error

[monasserymcp]

After deploying the aws power tuning in my account and trying to execute it,The Initializer step fail with the following error

"cause": { "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::xxxxxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxx xxxxx:function:xxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action", "trace": [ "AccessDeniedException: User: arn:aws:sts::xxxx:assumed-role/serverlessrepo-aws-lambda-power-tun-initializerRole-l576tllQUOWO/serverlessrepo-aws-lambda-power-tuning-initializer-6adFhGV4OkoV is not authorized to perform: lambda:GetFunctionConfiguration on resource: arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx:$LATEST because no identity-based policy allows the lambda:GetFunctionConfiguration action",

  am deploying the app using AWS Serverless Application Repository (SAR) 
  While deploying I passed the following parameters 

{
lambdaResource:"arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxxx",
securityGroupIds:"sg-xxxxxxxxxxx",
subnetIds:"subnet-xxxxxxxxxxxxxxx"
...... rest are default values
}

Execution time Params 

{
"lambdaARN": "arn:aws:lambda:xxxxxx:xxxxxxxx:function:xxxxxxx",
"powerValues": [
128,
256,
512,
1024,
2048,
3008
],
"num": 10,
"payload": "{}",
"parallelInvocation": true,
"strategy": "balanced"
}

I have verified that the required Policies are attached to the Initializer lambda step function 

`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:PublishVersion",
                "lambda:UpdateFunctionConfiguration",
                "lambda:CreateAlias",
                "lambda:UpdateAlias"
            ],
            "Resource": "arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx",
            "Effect": "Allow"
        }
    ]
}`

Note :

 setting the Resource to :"*" , is working fine , but what if I need to specify the least permission and only apply the poly on the lambda ARN only 



   

[monasserymcp]

Update : I fixed this issue by updating the Policy as follows :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "lambda:GetAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:PublishVersion",
                "lambda:UpdateFunctionConfiguration",
                "lambda:CreateAlias",
                "lambda:UpdateAlias"
            ],
            "Resource": [
                 "arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx",
                 "arn:aws:lambda:xxxxx:xxxxxxx:function:xxxxxxxx:*",
            
            ]
            "Effect": "Allow"
        }
    ]
}`

Seems like there aliases or versions created based on the ARN of my lambda function , so the wildcard "*" covers all of them

[alexcasalboni]

hi @monasserymcp 👋 thanks for sharing!

That makes sense and we should probably update the Resource documentation to clarify this.

Currently, it says:

The Resource used in IAM policies; it's * by default but you could restrict it to a prefix or a specific function ARN.

In practice, you can't use just a function ARN. The description could say something like this:

The Resource used in IAM policies; it's * by default but you could restrict it to a prefix or a specific function. In case of a specific function, make sure to include its versions/aliases as well with a wildcard.

Would that make sense to you?

[monasserymcp]

Yes, Perfect