How do I troubleshoot "permission denied" or "unable to import module" errors when uploading a Lambda deployment package?

4 minute read

When I try to upload my AWS Lambda deployment package, I get either a permission denied or unable to import module error. How do I resolve these errors?

Short description

Lambda requires global read permissions on code files and any dependent libraries in your deployment package. If your Lambda deployment package isn't configured with the correct security permissions, then Lambda returns an error when you try to upload the file. These permission denied and unable to import module errors most commonly occur when deployment packages are created by continuous integration applications.

The correct permissions for all executable files within a Lambda deployment package is 644 in Unix permissions numeric notation. For folders within a deployment package, the correct permissions setting is 755.

Note: Because Lambda uses POSIX permissions, it's a best practice to use a POSIX-compliant operating system when building Lambda deployment packages. For example: Linux, Unix, or macOS. Parity between the permissions model in your build environment and Lambda's runtime environment reduces the chance of permissions issues.

If you use Windows for development and need to fix a permissions issue, you can set up a Linux environment by doing either of the following:


Confirm which file or folder is the cause of the error

Depending on the programing language used to write your Lambda function code, the cause of the error might not be clear in the error message.

For example, a Node.js function error message lists the name of the file or folder that's the source of the error. However, a Python function error message doesn't list the name of the file or folder that's the source of the error.

Node.js Lambda function permission denied error example

  "errorMessage": "EACCES: permission denied, open '/var/task/index.js'",
  "errorType": "Error",
  "stackTrace": [
    "Object.fs.openSync (fs.js:641:18)",
    "Object.fs.readFileSync (fs.js:509:33)",
    "Object.Module._extensions..js (module.js:578:20)",
    "Module.load (module.js:487:32)",
    "tryModuleLoad (module.js:446:12)",
    "Function.Module._load (module.js:438:3)",
    "Module.require (module.js:497:17)",
    "require (internal/module.js:20:19)"

Python Lambda function unable to import module error example

Unable to import module 'index': No module named index

Python Lambda function unable to import module error for external libraries that are missing required permissions example

Unable to import module 'index': No module named requests

To check the permissions for all the files and folders within the deployment package .zip file, run the following zipinfo command in your command line interface (CLI):
Important: Replace with your deployment package .zip file name.


Zipinfo command response example

Zip file size: 305 bytes, number of entries: 1
-r--------  3.0 unx      188 tx defN 21-Feb-13 20:48
1 file, 188 bytes uncompressed, 135 bytes compressed:  28.2%

Note: In this example, the permissions of is -r--------, or 400 in Unix permissions numeric notation, so the permissions for the file need to be updated to 644.

Update the permissions for your deployment package

Note: The following commands work for Linux, Unix, and macOS operating systems only.

1.    To unpack the files and folders inside your deployment package to a temporary folder, run the following command in your CLI:
Important: Replace with the file name of your deployment package. Replace temp-folder with whatever name you'd like to give the new temporary folder.

mkdir temp-folder; unzip -d temp-folder ;cd temp-folder;ls -l

2.    Update the permissions of the library's files.

Note: To make all files and folders in the current directory readable by any user, run the following chmod command:

$ chmod 644 $(find /tmp/package_contents -type f)
$ chmod 755 $(find /tmp/package_contents -type d)

3.    After fixing the permissions, repackage the files and folder into a new .zip file by running the following command:

zip -r *

4.     Upload the new deployment package.

Related information

Getting started with Lambda

AWS OFFICIALUpdated 2 years ago