Can't retrieve lambda policy for function created by SAM

[jabalsad]

Hi,

I have a simple Lambda function connected to API Gateway, similar to the swagger cors example.

I'm running into a similar issue as in #59 , so I'm trying to debug what is the problem with the AWS::Lambda::Permission.

However, when I run aws lambda get-policy --function-name <function-created-by-sam>, I get this response:

› aws lambda get-policy --function-name xxxxxx-URUCPO8SEL49
An error occurred (ResourceNotFoundException) when calling the GetPolicy operation: The resource you requested does not exist.

Querying any of my other Lambda functions, I get the expected policy in return. Not being able to query the policy makes this difficult to debug.

I do have the usual 2 permissions associated with the lambda function:

Using the same workaround as suggested in #59, I manage to get a hint to the nature of the problem. I added my own AWS::Lambda::Permission resource to the SAM template as follows:

  SomePermission:
    Type: AWS::Lambda::Permission
    DependsOn:
    - API
    - CreateUpload
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref SomeLambda
      Principal: apigateway.amazonaws.com

Now all of a sudden running get-policy gives me a response, and I am also able to successfully invoke the API. Seems like there is a problem with the AWS::Lambda::Permissions that are setup by SAM, and the only way to fix it is to create a third Permission.

For reference, here is what my template looks like:

AWSTemplateFormatVersion: 2010-09-09
Transform: AWS::Serverless-2016-10-31
Description: Lambda Functions

Globals:
  Function:
    Runtime: go1.x
    Timeout: 5 
    MemorySize: 512
    Tracing: Active
    AutoPublishAlias: live

Resources:
  API:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      DefinitionBody:
        Fn::Transform:
          Name: AWS::Include
          Parameters:
            Location: s3://mys3bucket/swagger.yaml

  IAMRole:
    Type: AWS::IAM::Role
    Properties: 
      AssumeRolePolicyDocument:
        Statement:
          - Action: ['sts:AssumeRole']
            Effect: Allow
            Principal:
              Service: [lambda.amazonaws.com]
        Version: 2012-10-17
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess

  SomeFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: bin/some_function
      Role: !GetAtt IAMRole.Arn
      Events:
        SomeFunction:
          Type: Api
          Properties:
            RestApiId: !Ref API
            Path: /test
            Method: POST # NOTE: I am not using ANY like other people on related issue.
              
  SomePermission: # If I remove this, things break. Bug?
    Type: AWS::Lambda::Permission
    DependsOn:
    - API
    - CreateUpload
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Ref SomeFunction
      Principal: apigateway.amazonaws.com

[brettstack]

#449 should fix this. Please let me know if this is still a problem.

[haggaret]

This appears to still be a problem. Lambda function created by SAM with no AWS::Lambda::Permission resource in the template - try to perform get_policy on the function and it fails.

[jlhood]

@haggaret We're not able to reproduce the issue you're describing. Can you provide a template that reproduces the issue you're seeing?

[keetonian]

Ran into this issue. I was able to get the policy for a function in us-east-1 but not in us-west-2

[keetonian]

Found my issue: I was using an alias but was running aws lambda get-policy --function-name <function-name> without the :<alias> portion at the end.

[awsjeffg]

Thanks for opening this issue! As this issue is very old, we are closing it due to inactivity. If you are still running into this issue, please re-open this issue and if possible add any additional information that would help us understand the problem you are encountering.

[haggaret]

Funny enough I forgot about this problem (and apparently didn't see the request for more information) but I just ran into it again. After opening a support case with AWS about this, they pointed me to this bug and asked that I add the AWS::Lambda::Permission resource to my template to fix it.

For completeness, here is the template that I'm using:

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: Description of the lambda

Globals:
  Function:
    Timeout: 300

Parameters:
    appName:
        Type: String
        Default: ""
    debug:
        Type: String
        Default: "false"

Resources:
    LambdaFunction:
        Type: AWS::Serverless::Function
        Properties:
            FunctionName: !Ref appName
            CodeUri: src/
            Handler: app.lambda_handler
            Runtime: python3.8
            Description: Lambda Description
            MemorySize: 128
            Environment:
                Variables:
                    DEBUG: !Ref debug
            Policies:
                - Version: 2012-10-17
                  Statement:
                      -
                          Effect: "Allow"
                          Action:
                              - "lambda:InvokeFunction"
                          Resource:
                              - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${appName}'
                      # IAM
                      -
                        Effect: "Allow"
                        Action:
                          - "iam:ListPolicies"
                          - "iam:ListEntitiesForPolicy"
                          - "iam:ListPolicyVersions"
                          - "iam:DetachGroupPolicy"
                          - "iam:DetachUserPolicy"
                        Resource:
                          - "arn:aws:iam::*:*"
                      -
                        Effect: "Allow"
                        Action:
                          - "iam:DeletePolicy"
                          - "iam:DeletePolicyVersion"
                        Resource:
                          - "arn:aws:iam::*:policy/*"

    lambdaScheduledRule:
        Type: "AWS::Events::Rule"
        Properties:
            Description: "Run lambda every day at 0501 GMT"
            # Set the cron to run every day at 05:01 GMT (lambdas clocks are GMT) to make sure we handle Standard time
            # as well as Daylight Savings time - this means a policy can actually be active for 1 hour past expiry
            # during daylight savings times
            ScheduleExpression: "cron(1 5 * * ? *)"
            State: "ENABLED"
            Targets:
                -
                  Arn: !GetAtt LambdaFunction.Arn
                  Id: "some_id"

I just use sam build and sam deploy to deploy it.

I'll try adding the AWS::Lambda::Permission resource mentioned above - that must have been what I did previously. 🙂