When I log into the AWS web console and go to the Lambda start page, I see the following error message:
User: arn:aws:iam::xxxxxxxxxxxx:user/aaaaaaaaaaaaa is not authorized to perform: lambda:GetAccountSettings on resource: * with an explicit deny in an identity-based policy
I do not see a list of existing lambdas.
We tested to give my user certain IAM permissions, but we could not find one that resolved the authorization issue. Is this just about a missing permission and if so, which permission is needed here?
From the error you’ve shared, it’s clear that there is an explicit deny in one of your IAM policies preventing your user from accessing lambda:GetAccountSettings. This means that despite possibly having the right permissions elsewhere, a specific policy linked to your user or group explicitly blocks this action.
To resolve this issue, you or an AWS administrator will need to review the policies associated with your IAM user. Start by checking both the managed and inline policies linked to your user account in the IAM section of the AWS console. You'll need to look for any deny statements that might cover all services, Lambda services or specifically targeting lambda:GetAccountSettings.
Once identified, the deny statement needs to be removed or modified from the policy to grant you access. If you don't have permissions to edit IAM policies, you'll need to contact an administrator who can make these changes. Make sure that your user account also has the necessary allow permissions for lambda:GetAccountSettings, which can be included in a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:GetAccountSettings",
"Resource": "*"
}
]
}
After updating the policy, log out of the AWS console and log back in to make sure your permissions are updated. If the problem persists, check if there are any other restrictions, such as Service Control Policies from AWS Organizations, that might be affecting your permissions.