Role Exception when a Step Function invokes a function embedded in a deployed SAM application

21 views Asked by At

i am wondering if someone can assist here I have created a StepFunction which is invoking 3 lambda functions, one of which is embedded in a SAM application The call to the non-SAM lamdbas work fine, but the call to the function embedded in a SAM app fails with this error

User: arn:aws:sts::049597339122:assumed-role/StepFunctions-MyStateMachine-vaf8oae6r-role-3fb3les3x/eWpKrYmhweVgzetTtNxdOUlBmbtvWSsB is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:049597339122:function:aws-cloud9-USWestEnvironment-d2-HelloWorldFunction-Xi1bJn9QghrZ:$LATEST because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 166906b8-56c5-43a2-9e96-607cfbff98d1; Proxy: null)

which i cannot understand, as the IAM Role associated with my State machine has teh InvokeLambda permission - and in fact, i can successfully call the other 2 standalone lambdas

what am i missing? kind regards Marco

1

There are 1 answers

0
user1068378 On

Ok ,so my AWS step function role had 2 lambdaInvoke permissions but they were setup specifically for the 'other 2 functions' i called.. this was probably setup by aws when i created my StepFunction via console. I incorrectly thought that because i could invoke those 2 lambda, i could also invoke a lambda embeeded in a SAM Once i added the permission LambdaInvoke to my step fuction IAM, all worked fine apologies for bothering