Can't remove a trigger from a lambda function as a root

Question

So I'm logged into the console as a root user, and I can't remove an EventBridge trigger I added as a root user:

> Unable to determine service/operation name to be authorized

Well, I'm kinda root, I guess I have all the rights, no?

Ok, I went to EventBridge and deleted the trigger itself. Now in the lambda configuration I see this trigger with a label “The rule could not be found.” And I still can't delete this trigger from the lambda, so now it's linked to a deleted trigger.

From CloudTrail:

```
{
    "eventVersion": "1.11",
    "userIdentity": {
        "type": "Root",
        "principalId": "...",
        "arn": "arn:aws:iam::...:root",
        "accountId": "...",
        "accessKeyId": "...",
        "sessionContext": {
            "attributes": {
                "creationDate": "2025-04-21T22:26:14Z",
                "mfaAuthenticated": "true"
            }
        },
        "invokedBy": "AWS Internal"
    },
    "eventTime": "2025-04-21T23:39:57Z",
    "eventSource": "lambda.amazonaws.com",
    "eventName": "PutResourcePolicy",
    "awsRegion": "eu-north-1",
    "sourceIPAddress": "AWS Internal",
    "userAgent": "AWS Internal",
    "errorCode": "AccessDenied",
    "errorMessage": "Unable to determine service/operation name to be authorized",
    "requestParameters": null,
    "responseElements": null,
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "...",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "true"
}
```

What even are the permissions I should add to the root user using the management panel and how exactly should this be achieved is beyond my comprehension. As is why I can do anything with a lambda, just not remove the trigger.

Edit: tried to use Terraform to add/remove the EventBridge trigger:

```
 Error: deleting EventBridge Target (5minutesbefore-lambda-target): operation error EventBridge: RemoveTargets, https response error StatusCode: 400, RequestID: 85c1e502-f153-482a-ab0c-beec5aca1061, api error AccessDeniedException: User: arn:aws:iam::***:user/*-deployer is not authorized to perform: events:RemoveTargets on resource: arn:aws:events:eu-north-1:***:rule/5minutesbefore because no identity-based policy allows the events:RemoveTargets action
```

Yeah, sure he doesn't. Like it can create, list, whatever, but not RemoveTargets, no sir, it's literally not authorized for that.

```
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": [
				"events:DeleteRule",
				"events:PutRule",
				"events:ListRules",
				"events:DescribeRule",
				"events:ListTagsForResource",
				"events:PutTargets",
				"events:ListTargetsByRule",
				"events:RemoveTargets"
			],
			"Resource": [
				"arn:aws:events:*:*:rule/*"
			]
		},
```

```
aws lambda get-function --function-name processor --region eu-north-1 --profile deployer --query 'Configuration.EventInvokeConfig'
```

gives null

```
aws lambda list-event-source-mappings --function-name processor --region eu-north-1 --profile deployer
```

gives

```
{
    "EventSourceMappings": []
}
```

Jainam · Accepted Answer

Being a root user doesn't bypass the need for proper service-to-service permissions in AWS. Even as root, you still need:

1. The Lambda function to trust EventBridge (resource-based policy)
2. EventBridge to have permission to invoke Lambda

Try this as root:

```bash
# Check if the Lambda has a resource-based policy
aws lambda get-policy --function-name processor --region eu-north-1

# If found, remove it:
aws lambda remove-permission --function-name processor --statement-id  --region eu-north-1

# Then grant fresh permission:
aws lambda add-permission \
    --function-name processor \
    --action lambda:InvokeFunction \
    --principal events.amazonaws.com \
    --statement-id EventBridgeInvoke \
    --region eu-north-1
```

This is because AWS service-to-service permissions work through explicit trust relationships, regardless of the user making the request - even root. It's a security feature, not a bug.

If you're still getting denied after this, there might be a service issue and AWS Support would be the next step.

re:Post Agent · Answer

The situation you're experiencing is unusual and not expected behavior for a root user, who typically has full access to all AWS services and operations. However, there are a few things to consider and potential steps to resolve this issue:

1. Even as a root user, you may encounter issues if there are service-linked roles or resource-based policies involved that are causing conflicts.

2. The error message "Unable to determine service/operation name to be authorized" suggests there might be an issue with the AWS service trying to determine the correct permissions for the operation.

3. Deleting the EventBridge rule from the EventBridge console was a good step. However, the Lambda function is still showing the non-existent trigger because the association wasn't properly removed.

To resolve this issue, try the following steps:

1. Refresh the Lambda console page to see if the trigger disappears on its own after some time.

2. If the trigger still appears, try updating the Lambda function configuration (e.g., change a setting and save it) to force a refresh of the function's metadata.

3. If the issue persists, you may need to use the AWS CLI or AWS SDK to remove the event source mapping. You can list the event source mappings for your function and then delete the specific mapping for the deleted EventBridge rule.

4. As a last resort, you could consider recreating the EventBridge rule, re-associating it with the Lambda function, and then properly removing it through the Lambda console.

If none of these steps work, it would be advisable to contact AWS Support, as this behavior is not normal for a root user and may indicate a deeper issue with your account or the AWS services in your region.

Remember that it's generally recommended to use IAM users with appropriate permissions rather than the root user for day-to-day operations, even for administrative tasks. This allows for better security control and auditing of actions taken on your AWS account.  
**Sources**  
[See who invoked my Lambda function | AWS re:Post](https://repost.aws/knowledge-center/lambda-user-invoked-function)  
[Disabling or deleting a rule in Amazon EventBridge - Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-delete-rule.html)  
[Logging Amazon EventBridge API calls using AWS CloudTrail - Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/logging-using-cloudtrail.html)

Can't remove a trigger from a lambda function as a root

Relevant content