By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot delete or access lambda related resources with full lambda permissions

0

I have been using Lambda functions for years and began using Cloud Formation this year. I use an IAM role with full lambda permissions.

I recently created a Cloud Formation stack that includes a lambda function, IAM role, and triggers. I attempted to delete the stack and it fails to delete the lambda function with this error:

Resource handler returned message: "Service returned error code AccessDeniedException (Service: Lambda, Status Code: 403)" (HandlerErrorCode: GeneralServiceException)

There are also failures that appear with the function's EventSourceMapping:

Resource handler returned message: "null (Service: Lambda, Status Code: 403)" (HandlerErrorCode: GeneralServiceException)

When I navigate to the lambda page in the console, it shows a red box and fails to list any lambda functions.

When I navigate to the lambda function that failed to delete through the resources of CloudFormation, it shows red boxes everywhere, the trigger section never loads.

So, instead of using the broken console, I try the CLI.

First attempt, I try to list the event source mappings so I can delete the triggers to the lambdas, which I assume may be why the lambdas are going wonky:

aws --profile myprofile lambda list-event-source-mappings --region us-east-1

It returns:

An error occurred (AccessDeniedException) when calling the ListEventSourceMappings operation: None

My profile has full lambda access.

I also cannot just delete the lambdas using the CLI:

aws --profile myprofile lambda delete-function --function-name myfunction --region us-east-1

An error occurred (AccessDeniedException) when calling the DeleteFunction operation: None

I grab what I assume is the UUID of the event source mapping for a lambda's trigger from the Cloud Formation UI when I select to delete the stack. (It brings up resources I may want to retain and lists IDs under them.) When I try to use the CLI to delete the event source mapping, it fails with Access Denied Exception.

It seems my account is no longer able to access my resources?

Topics
ServerlessComputeManagement & Governance
Tags
AWS LambdaAWS CloudFormation
Language
English
rePost-User-8625095
asked a year ago527 views
1 Answer
0
Accepted Answer

Hi, there are two possibilities I can think of. One is that you really don't have IAM permissions due to a Deny somewhere (could for example be an SCP that's been applied if this is an Enterprise environment).

The second is that there's an issue with your account, in which case the Lambda console may say "last updated 53 years ago" (i.e. the epoch). See https://repost.aws/questions/QU4uPZdEWgRBGmBVVnAGXUug/error-with-aws-lambda for example.

EXPERT
skinsman
answered a year ago
  • rePost-User-8625095
    a year ago

    It is definitely the second possibility since I am not able to access lambda functions from the root account. It does say "Last updated 53 years ago". I certainly hope AWS did not lock down my account since this really redefines what is meant by 99.99% uptime! My whole system has been impaired for days now, bringing our services to a complete stop. I expect they will jump in and resolve the issue soon now that I fed them some $$$ with a higher support plan.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content