I'm trying to allow AWS Lambda residing in a private VPC to invoke another Lambda not in any VPC. I'm purposely avoiding use of NAT gateways in favor of Interface VPC Endpoints as they're a bit cheaper to use. However, I'm running into trouble configuring a custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "[~some stuff~]",
"Action": [
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": "arn:aws:lambda:[~region~]:[~taken out~]:function:Test-Invoked"
}
]
}
This was generated by the policy generator provided by AWS, which I copied and pasted. When I tried to create the endpoint, this got overwritten by the default All access. After I tried to change this once the endpoint was created, AWS takes me to an error page saying "Error: An unknown error occurred".
Would appreciate some help on this.
Your interface endpoint policy is invalid. Its missing Principal element for once.
But my advise would be to use default policy, and control access to the endpoint using security groups, and to control permissions to invoke the second lambda by means of IAM roles and/or lambda's resource-based permissions.