AWS IAM Lambda “is not authorized to perform: lambda:GetFunction”

Question

When I have my IAM Policy for my lambda execution role set to:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "lambda:GetFunction"

            ],

            "Resource": [

                "*"

            ],

            "Effect": "Allow"

        }

    ]

}

I get this error:

[AccessDeniedException: User:

arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail

is not authorized to perform: 

lambda:GetFunction on resource:

arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]

However, when I set the policy to:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "lambda:*"

            ],

            "Resource": [

                "*"

            ],

            "Effect": "Allow"

        }

    ]

}

The error is gone... What else do I need to add?

Answer 1

The SDK requires lambda:GetFunctionConfiguration too. It will work if you add it under Action.

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Action": [

                "lambda:GetFunction",

                "lambda:GetFunctionConfiguration"

            ],

            "Resource": [

                "*"

            ],

            "Effect": "Allow"

        }

    ]

}