I have a very simple AWS Lambda function - just listing all my CloudWatch events:
import boto3
def lambda_handler(event, context):
client = boto3.client("events")
return client.list_rules()
However, when I try to run it (with an empty test event: {}), I am getting the following permissions exception:
An error occurred (AccessDeniedException) when calling the ListRules operation:
User: arn:aws:sts::123321123321:assumed-role/lambda+basicEvents/lambdaName
is not authorized to perform: events:ListRules
on resource: arn:aws:events:eu-west-1:123321123321:rule/*
I do have this policy attached to the lambda execution role (and I can see the actions listed in the permissions tab on the lambda):
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BasicCloudWatchEventsManager",
"Effect": "Allow",
"Action": [
"events:DescribeRule",
"events:EnableRule",
"events:PutRule",
"events:ListRules",
"events:DisableRule"
],
"Resource": "arn:aws:events:*:*:rule/[*/]*"
}
]
},
"name": "BasicCloudWatchEventsManager",
"id": "SOME7LONG7ID",
"type": "managed",
"arn": "arn:aws:iam::123321123321:policy/BasicCloudWatchEventsManager"
}
I've build the policy using the visual editor they provide, just changed the sid manually.
Any clues what might be missing?
After a lot of frustration, I figured it out.
In the visual policy editor, selecting the resource as any rule, adding and ARN and selecting "any" for all options will create add this line in the policy:
"Resource": "arn:aws:events:*:*:rule/[*/]*"
What this is meant to stand for is:
*) region[*/] part)However, looks like Amazon's logic is slightly broken and the optional part doesn't work and is probably taken literally. So what I had to do to fix it is to change this to:
"Resource": "arn:aws:events:*:*:rule/*"
With this it works without issues.