I have a very simple AWS Lambda function - just listing all my CloudWatch events:
import boto3
def lambda_handler(event, context):
client = boto3.client("events")
return client.list_rules()
However, when I try to run it (with an empty test event: {}
), I am getting the following permissions exception:
An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName
is not authorized to perform: events:ListRules
on resource: arn:aws:events:eu-west-1:123321123321:rule/*
I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BasicCloudWatchEventsManager",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:ListRules",
"events:DisableRule"
],
"Resource": "arn:aws:events:*:*:rule/[*/]*"
}
]
},
"name": "BasicCloudWatchEventsManager",
"id": "SOME7LONG7ID",
"type": "managed",
"arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}
I've build the policy using the visual editor they provide, just changed the sid
manually.
Any clues what might be missing?
After a lot of frustration, I figured it out.
In the visual policy editor, selecting the resource as any rule
, adding and ARN and selecting "any" for all options will create add this line in the policy:
"Resource": "arn:aws:events:*:*:rule/[*/]*"
What this is meant to stand for is:
*
) region[*/]
part)However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:
"Resource": "arn:aws:events:*:*:rule/*"
With this it works without issues.