I am trying to connect Lex with Lambda using CDK (TS).
I am getting Invalid Bot Configuration: Access denied while invoking lambda function arn:aws:lambda:xyz from arn:aws:lex:zyx. Please check the policy on this function
I have tried applying inline policies using AWS Console. But nothing works. I was trying to attach * policies - not working either.
My code looks something like this:
const botRole = new Role(this, 'bot-role', {
assumedBy: new ServicePrincipal('lex.amazonaws.com'),
inlinePolicies: {
'allow-everything': new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: ['*'],
}),
],
}),
},
});
const botLambdaHandler = new NodejsFunction(
this,
'bot-lambda-handle',
{
entry: join(__dirname, 'resources', 'bot-handler.ts'),
...nodeJsFunctionProps,
role: new Role(this, 'bot-execution-role', {
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
inlinePolicies: {
'allow-everything': new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
resources: ['*'],
actions: ['*'],
}),
],
}),
},
}),
}
);
const bot = new CfnBot(this, 'bot-name', {
name: 'bot-name',
roleArn: role.roleArn,
...
{ testAliasConfig with arn of botLambdaHandler }
});
const botVersion = new CfnBotVersion(this, 'bot-prod-version', {
botId: bot.attrId,
botVersionLocaleSpecification: [
{
localeId: 'en_US',
botVersionLocaleDetails: {
sourceBotVersion: 'DRAFT',
},
},
],
});
new CfnBotAlias(this, 'bot-prod-alias', {
botAliasName: 'BotProd',
botId: bot.attrId,
botVersion: botVersion.attrBotVersion,
botAliasTags: tags,
botAliasLocaleSettings: [
{
localeId: 'en_US',
botAliasLocaleSetting: {
enabled: true,
codeHookSpecification: {
lambdaCodeHook: {
codeHookInterfaceVersion: '1.0',
lambdaArn: botLambdaHandler.functionArn,
},
},
},
},
],
});
I have tried applying inline policies using AWS Console. Nothing works :( I will be glad for your help!
The Lambda function’s resource-based policy isn't allowing AWS Lex to invoke it, hence the 'access denied while invoking lambda function' error.
After you've fixed all of the dangerous allow all policies (please!), use addPermission(...)
to modify the policy to allow the bot to invoke your Lambda:
botLambdaHandler.addPermission('lex-fulfillment', {
action: 'lambda:InvokeFunction',
principal: new iam.ServicePrincipal('lex.amazonaws.com'),
});
Note that for v2 Lex bots, the service principal is lexv2.amazonaws.com
.