Configure Lambda Deployment Permissions¶

Overview¶

This guide explains how to configure IAM permissions for GitHub Actions to deploy AWS Lambda functions. This was needed when adding the S3 Notifier Lambda deployment to the CI/CD pipeline.

Problem Context¶

The GitHub Actions deployment for syrfAppUploadS3Notifier Lambda function failed with:

AccessDeniedException: User arn:aws:iam::318789018510:user/github-actions-deployer
is not authorized to perform: lambda:UpdateFunctionCode

Root Cause: The IAM policy GitHubActions-Deploy-EmailIssueOps-Policy has lambda:UpdateFunctionCode permission, but it's scoped only to the email-issueops functions. New Lambda functions need to be added to the allowed resource list.

Prerequisites¶

AWS CLI configured with appropriate credentials
IAM permissions to update policies
Policy ARN: arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy

Solution Steps¶

1. Retrieve Current Policy¶

# Get the current default version ID
aws iam get-policy \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy

# Get the policy document
aws iam get-policy-version \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy \
  --version-id v18 \
  > current-policy.json

2. Update Policy Document¶

Add the new Lambda function ARN to the LambdaFunctionManagement statement's Resource array:

{
  "Sid": "LambdaFunctionManagement",
  "Effect": "Allow",
  "Action": [
    "lambda:UpdateFunctionCode",
    "lambda:GetFunction",
    "lambda:PublishVersion",
    // ... other actions
  ],
  "Resource": [
    "arn:aws:lambda:eu-west-1:318789018510:function:email-issueops-stack-*",
    "arn:aws:lambda:eu-west-1:318789018510:function:EmailIssueOpsProcessor",
    "arn:aws:lambda:eu-west-1:318789018510:function:EmailIssueOpsMergeIssue",
    "arn:aws:lambda:eu-west-1:318789018510:function:syrfAppUploadS3Notifier"  // NEW
  ]
}

3. Handle Version Limit (if needed)¶

AWS IAM policies can have up to 5 versions. If you hit this limit:

# List all policy versions
aws iam list-policy-versions \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy

# Delete an old non-default version (example: v14)
aws iam delete-policy-version \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy \
  --version-id v14

4. Create New Policy Version¶

# Create new version and set as default
aws iam create-policy-version \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy \
  --policy-document file://updated-policy.json \
  --set-as-default

5. Verify Update¶

# Check the new policy version
aws iam get-policy \
  --policy-arn arn:aws:iam::318789018510:policy/GitHubActions-Deploy-EmailIssueOps-Policy

6. Test Deployment¶

Go to GitHub Actions: https://github.com/camaradesuk/syrf/actions
Find the failed workflow run
Click "Re-run failed jobs"
Verify the deploy-lambda job succeeds

Applied Updates¶

Date: 2025-11-15 Action: Added syrfAppUploadS3Notifier Lambda function to policy Policy Version: v19 (current) Status: ✅ Applied and tested

Security Best Practices¶

Least Privilege: Only add specific Lambda function ARNs, not wildcard patterns
Version Management: Regularly clean up old policy versions (keep max 5)
Audit Trail: Document all policy changes with date and reason
Testing: Always test deployment after policy updates

Troubleshooting¶

AccessDeniedException for New Functions¶

Symptom: GitHub Actions fails with AccessDeniedException for a new Lambda function

Solution: Add the function ARN to the LambdaFunctionManagement Resource array

LimitExceeded Error¶

Symptom: A managed policy can have up to 5 versions

Solution: Delete old non-default versions using Step 3 above

CI/CD Workflow - Main deployment pipeline
AWS IAM Best Practices