AWS CDK: Custom Resource Not Triggering Lambda with Permissions scenarios
I need help solving I need some guidance on I'm currently working on an AWS CDK project where I'm trying to create a custom resource that triggers a Lambda function. However, I'm running into a permissions scenario where the Lambda function seems not to have the necessary permissions to access resources defined in my stack. I've set up my CDK stack as follows: ```typescript import * as cdk from 'aws-cdk-lib'; import * as lambda from 'aws-cdk-lib/aws-lambda'; import * as customResources from 'aws-cdk-lib/custom-resources'; import * as iam from 'aws-cdk-lib/aws-iam'; const stack = new cdk.Stack(app, 'MyStack'); const myLambda = new lambda.Function(stack, 'MyFunction', { runtime: lambda.Runtime.NODEJS_14_X, code: lambda.Code.fromAsset('lambda'), handler: 'index.handler', }); const customResource = new customResources.AwsCustomResource(stack, 'MyCustomResource', { onCreate: { service: 'Lambda', action: 'invoke', parameters: { FunctionName: myLambda.functionName, }, physicalResourceId: customResources.PhysicalResourceId.of(Date.now().toString()), }, policy: customResources.AwsCustomResourcePolicy.fromStatements([ new iam.PolicyStatement({ actions: ['lambda:InvokeFunction'], resources: [myLambda.functionArn], }), ]), }); ``` The relevant behavior message I’m working with when deploying is: ``` User: arn:aws:iam::123456789012:user/MyUser is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:123456789012:function:MyFunction ``` I’ve checked that the policy for the `AwsCustomResource` is set correctly to allow `lambda:InvokeFunction`, and I also made sure that my IAM user has the necessary permissions to deploy this stack. I've tried adding `AWSLambda_FullAccess` to my user temporarily, but the behavior continues. Additionally, I've verified that the Lambda function itself has the correct execution role that allows it to invoke other AWS services. I also attempted to add an `Environment` variable to the Lambda function to log the permissions it receives at runtime, but that did not yield any helpful information. Does anyone have suggestions for troubleshooting this permissions behavior or insight into what might be going wrong with my custom resource configuration? I'm working in a CentOS environment. Any ideas what could be causing this? I'm working on a REST API that needs to handle this. Thanks for taking the time to read this!