AccessDeniedException: User: arn:aws:iam::xxxxxxx:root is not authorized to perform: lambda:UpdateFunctionCode

amazon-alexa
cli
#1

Hi Jan,
I have created a skill in the console, created a Lambda function a local setup with JOVO and an ASK profile (exampleOfficial).
I created the above profile with the same user account which had been set up by my Administrator.

I am getting the following response when trying to deploy to lambda
(jovo deploy -t lambda --ask-profile exampleOfficial)

Deploying Alexa Skill 
    ✖ Uploading to AWS Lambda
      → User: arn:aws:iam::880731272882:root is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-east-
…
 ›   Error: There was a problem:
 ›   AccessDeniedException: User: arn:aws:iam::880731272882:root is not authorized to perform: lambda:UpdateFunctionCode on resource: 
 ›   arn:aws:lambda:us-east-1:109918021270:function:exampleProjectNotes

However, the following commands are running without isue:

$ jovo get alexaSkill --skill-id <Skill ID> --ask-profile exampleOfficial
and
$ jovo deploy --ask-profile exampleOfficial

I referred to this article and created a Policy with the following JSON:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "iam:CreateRole",
            "iam:GetRole",
            "iam:AttachRolePolicy",
            "iam:PassRole",
            "lambda:AddPermission",
            "lambda:CreateFunction",
            "lambda:GetFunction",
            "lambda:UpdateFunctionCode",
            "lambda:UpdateFunctionConfiguration",
            "lambda:ListFunctions",
            "logs:FilterLogEvents",
            "logs:getLogEvents",
            "logs:describeLogStreams"
        ],
        "Resource": "*"
    }
}

I then went to https://console.aws.amazon.com/iam/home#/users/<username> > Ad Permission. Now I am not sure which one to select. Under Attach Existing Policy Directly, I can see the permissions I have created earlier for the Policy. Shall I attach this?

Because I am not sure, I have no idea what impact this might have in other areas.

Please suggest. This is a kind of urgent.

Regards,
Subrata Sarkar

#2

The permissions look correct to me.

Could you try to update the lambda with the AWS CLI ? Maybe in an isolated project?

Just to make sure it is Jovo Cli related.

#3

Thank you Alex!

Do you mean I need to create a new project using JOVO CLI? I can do that. But please help me understanding how I can update the Lambda with the AWS CLI.

Regards

#4

https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-code.html
I haven’t done it myself yet. Probably something like aws update-function-code --function-name <value> --zip-file ./bundle.zip --profile <profile> ?

#5

Ok, I will try. One question.
Is this I need to implement? I have the Access and Secret Keys with me.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html

#6

Yes, run aws configure and also ask configure

https://developer.amazon.com/en-US/docs/alexa/smapi/ask-cli-command-reference.html#configure-command

#7

Thanks a lot! I will try the steps and get back to you with my findings.

#8

Hi, after doing some more research I have created a new ASK CLI using my company’s IAM credential. Everything looks to be working fine now. Thank you so much for your help :slight_smile: