Cloudformation I want to add a policy that allows my Lamda to be invoked by the API gateway But I keep getting Error

Question

Below id My Policy I keep getting errors pls help me with a solution and sample code.

Error

`
```
Has prohibited field Resource (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 10ec173a-9ca9-4b82-85f9-4b7f17cc148a; Proxy: null)
```
`

My Template
```
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'LambdaExecutionRole-${AppId}'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Effect: Allow
          Principal:
            Service: [lambda.amazonaws.com]
          Action: ['sts:AssumeRole']
      Policies:
      # Policy:  [DynamoDB Policy]
      - PolicyName: DynamoDBAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - dynamodb:GetItem
            - dynamodb:PutItem
            - dynamodb:UpdateItem
            - dynamodb:DeleteItem
            - dynamodb:Query
            - dynamodb:Scan
            - dynamodb:BatchGetItem
            - dynamodb:BatchWriteItem
            - dynamodb:DescribeTable
            Resource: "*"
          - Effect: Allow
            Action:
            - dynamodb:ListStreams
            - dynamodb:DescribeStream
            - dynamodb:GetRecords
            - dynamodb:GetShardIterator
            Resource: "*"
            # Resource: "arn:aws:dynamodb:REGION:ACCOUNT_ID:table/TABLE_NAME/stream/*"
      # Policy:  [SQS Policy]
      - PolicyName: SQSAccessPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - sqs:ReceiveMessage
            - sqs:DeleteMessage
            Resource: "*"
      # Policy:  [APIGateway Lambda Invocation Policy]
      - PolicyName: APIGatewayLambdaInvocationPolicy
        PolicyDocument:
          Version: "2012-10-17"
          # Statement:  []
          Statement:
          - Effect: Allow
            Action:
            - lambda:InvokeFunction
            Resource: !Sub arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${LambdaAppId}-*
            Principal:
              Service: apigateway.amazonaws.com
```

Accepted Answer

Hi,

Based on your template, it seems you are trying to add resource policy to lambda function. You should be doing something like this:

rLambdaInvokePermission:
           Type: 'AWS::Lambda::Permission'
           Properties:
                     FunctionName: 
                     Action: 'lambda:InvokeFunction'
                    Principal: apigateway.amazonaws.com
                    SourceArn:

Identity based policy document shouldn't contain principal. Resource based policy should have principal in it but identity based policy would error out if principal would be mentioned. You are trying to create resource based policy but formatted in identity based format.

Take look at [AWS Resource Lambda Permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html).

Refer [IAM Access Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) for more example/syntax for IAM policies. Also, take a look at this [re:Post Knowledge Center Article](https://repost.aws/knowledge-center/iam-principal-policy), which exactly talks about this.

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

Cloudformation I want to add a policy that allows my Lamda to be invoked by the API gateway But I keep getting Error

Relevant content