Having a permission error when invoking a function from the other function (AccessDeniedException)

dosuken123 · December 18, 2019, 6:36pm

I have two functions in a job file, one is job_a and another is job_b. Now job_a executes job_b as perform_later, which executes a new lambda function, however, the execution fails due to a permission error.

RubyError: Aws::Lambda::Errors::AccessDeniedException: User: arn:aws:sts::771585002795:assumed-role/gitlab-serverless-runner-dev-IamRole-1GS1EZOIN7VVJ/gitlab-serverless-runner-dev-runner_job-request_jobs is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-southeast-1:771585002795:function:gitlab-serverless-runner-dev-runner_job-execute_job

At this moment, I have no clue how to pursue this investigation. Any help would be appreciated. Thanks.

tung · December 18, 2019, 8:07pm

The job (a lambda function) is calling another lambda function. So the job lambda function needs IAM access to call lambda. Docs:

https://rubyonjets.com/docs/iam-policies/

Example:

class HardJob < ApplicationJob
  class_timeout 300 # 300s or 5m, current Lambda max is 15m

  iam_policy "lambda" # adds IAM permission/access
  rate "10 hours" # every 10 hours
  def dig
    puts "done digging"
    # calls another lambda function...
  end
end

dosuken123 · December 19, 2019, 5:11pm

Thank you for advice! It worked!