WAF list_web_acls works with CLI but returns empty array with Boto3 inside lambda

Question

I have some WebACLs in WAF that I want to list from a Lambda function.
(I have the Regional WebACL in eu-central-1)

**My lambda handler:**
```
def lambda_handler(event, context):    
    waf_client = boto3.client(
        "wafv2",
        aws_access_key_id="SOME_ACCESS_KEY_ID",
        aws_secret_access_key="SOME_SECRET_ACCESS_KEY",
        region_name="eu-central-1"
    )
    
    return waf_client.list_web_acls(Scope="REGIONAL")
```

**Lambda Result:**
```
{
  "WebACLs": [],
  "ResponseMetadata": {...}
}
```

---

**CLI command that works:** ` aws wafv2 list-web-acls --scope=REGIONAL --region=eu-central-1`

**Result:**
```
{
    "NextMarker": "something",
    "WebACLs": [
        {
            "Name": "something",
            "Id": "hash1",
            "Description": "",
            "LockToken": "hash2",
            "ARN": "arn:aws:wafv2:eu-central-1:accountid:regional/webacl/something/hash1"
        }
    ]
}

```

---

Am I missing something here or the Boto3 WAF client is not behaving as expected?

Accepted Answer

I can't see a good reason why that doesn't work. Unless the account details you're using at the CLI aren't the same as in the Lambda function. You can use `aws sts get-caller-identity` and the equivalent boto3 call to confirm.

Note that you don't have to supply credentials within a Lambda function - it's much better practice to create a role which has the right permissions for that Lambda function specifically so that you don't have hard-coded credentials. If you're making cross-account calls then you can do that too.

WAF list_web_acls works with CLI but returns empty array with Boto3 inside lambda

Relevant content