Question:
I am trying to use aws cli to tag a lambda function. However, I keep getting the access decided error. I even tried to give the user admin access in IAM, and still it does not work. I guess something else has to be configured somewhere that currently overrides the policy
|
1 2 3 4 |
root@fd9f516869e1:~# aws lambda tag-resource --resource $FUNCTION_ARN --tags CURRENT_COMMIT=${CIRCLE_SHA1} An error occurred (AccessDeniedException) when calling the TagResource operation: User: |
The policy attached to the user is
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": " "Effect": "Allow", "Action": [ "tag:*", "lambda:ListTags", "lambda:TagResource", "lambda:UntagResource", "lambda:GetFunction", "lambda:UpdateFunctionCode" ], "Resource": [ " ] } ] } |
Answer:
As noted in the documentation for Lambda API Permissions and AWS Services That Work with IAM tag-related calls (ListTags, TagResources, UntagResources) can’t be restricted to specific resources.
So access for tagging has to be granted for all Lambda functions. To get it working, you’d need to replace <my lambda ARN> in the policy above with *.