By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

aws lex version

0

each time I create a new version and point on it my lex bot, I'm no longer able to use my lex bot and I got this error message:

Invalid Bot Configuration: Access denied while invoking lambda function arn:aws:lambda:us-east-1:XXXXXXX:function:sam-yyyyyy-lambdaFunction:version_1 from arn:aws:lex:us-east-1:xxxxxx:bot-alias/aaaaaa/bbbbbb. Please check the policy on this function. my script in template.yaml :

  BotRuntimeRole: # 1. IAM Role used by the Lex service to make runtime calls
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lexv2.amazonaws.com
            Action:
              - "sts:AssumeRole"
      Path: "/"
      Policies:
        - PolicyName: LexRuntimeRolePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "polly:SynthesizeSpeech"
                  - "comprehend:DetectSentiment"
                  - "s3:GetObject"
                Resource: "*"
        - PolicyName: AWSLambda_FullAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "lambda:*"
                Resource: "*"
Topics
ServerlessComputeMachine Learning & AI
Tags
AWS LambdaAmazon Lex
Language
English
ayoub
asked 2 months ago99 views
1 Answer
0

Check the resource-based policy statement on your lambda version. It should look something like below. Each lambda version can have different permissions so you may need to add it to each. If you need to use lambda versions you could simplify things by creating a lambda alias, then you can set the policy on and then point it to the version you want to use (so you don't have to keep ensuring each version has the permissions you want).

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "lex-lambda-invokeFunction",
      "Effect": "Allow",
      "Principal": {
        "Service": "lexv2.amazonaws.com"
      },
      "Action": "lambda:invokeFunction",
      "Resource": "<lambdaARN>",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<awsAccount>"
        },
        "ArnLike": {
          "AWS:SourceArn": "<botAliasArn>"
        }
      }
    }
  ]
}

If you have a specific botAliasArn in the "ArnLike" then ensure all the botAliases you need are included.

AWS
Gillian
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • ayoub
    2 months ago

    I found the answer, is by taking the same permission already passed in the original lambda function and to pass it to the the new lambda version permission

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content