Skip to content

How to Fix AWS Lambda Permission Denied Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix AWS Lambda Permission Denied Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Your Lambda function returns AccessDeniedException or Permission denied — the function lacks the IAM permissions to access required resources.

Step-by-Step Fix

1. Check the Lambda execution role

aws lambda get-function-configuration --function-name my-function --query 'Role'

Expected output:

arn:aws:iam::123456789012:role/my-lambda-execution-role

2. Attach the required policy

aws iam attach-role-policy --role-name my-lambda-execution-role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

3. Add a resource-based policy (for cross-account access)

aws lambda add-permission \
  --function-name my-function \
  --statement-id s3-invoke \
  --action lambda:InvokeFunction \
  --principal s3.amazonaws.com \
  --source-arn arn:aws:s3:::my-bucket

4. Verify the policy

aws lambda get-policy --function-name my-function

Expected output:

{
    "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"s3-invoke\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:123456789012:function:my-function\"}]}"
}

5. Test the function

aws lambda invoke --function-name my-function --payload '{}' response.json

Common Mistakes

Mistake Fix
Execution role has no S3/DynamoDB access Attach the appropriate managed policy
Wrong principal in resource policy Use the correct AWS service principal
Missing source ARN condition Add SourceArn for security
Policy not attached to correct role Verify the role ARN matches the function
VPC function cannot access S3 Add a VPC endpoint or NAT gateway

Prevention

  • Follow least-privilege for Lambda execution roles.
  • Use AWS managed policies where possible.
  • Test permissions with the AWS Policy Simulator.
  • Enable CloudTrail for permission audit trails.

Common Mistakes with lambda permission

  1. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  2. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  3. Using head and tail instead of pattern matching, causing runtime errors on empty lists

These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the difference between execution role and resource-based policy?

The execution role grants the Lambda function access to other AWS services. A resource-based policy grants other services permission to invoke the Lambda function. |||How do I grant Lambda access to a VPC resource? Add AWSLambdaVPCAccessExecutionRole to the execution role, which provides permissions for Elastic Network Interfaces. |||Can one Lambda function invoke another Lambda? Yes, add lambda:InvokeFunction to the first function's execution role for the second function's ARN.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro