Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function?

Last updated: 2020-10-06

I'm trying to create an Amazon Simple Storage Service (Amazon S3) event notification to trigger my AWS Lambda function. Why am I getting the error "Unable to validate the following destination configurations. Not authorized to invoke function"?

Short description

Generally, this error means that your S3 bucket doesn't have the permission to invoke a Lambda function. The required permissions are automatically added to a resource-based policy for your function when you use the Amazon S3 console to configure an event notification for Lambda or add a trigger to your function from the Lambda console.

The error can occur when:

  • A Lambda function's resource-based policy is deleted or removed, and you try to save changes to an Amazon S3 event notification for that function.
  • An S3 bucket has an existing event notification for a Lambda function that doesn't have the required permissions in its resource-based policy, and you try to save a new event notification in that S3 bucket.
  • A new Amazon S3 event notification is added from AWS SDK, AWS Command Line Reference (AWS CLI), or AWS CloudFormation stack, and the function's resource-based policy doesn't have the required permissions.

Note: If you fix the permissions and Amazon S3 event notifications still don't trigger your Lambda function, see Why doesn't my Amazon S3 event notification trigger my Lambda function?


Do either of the following:

Recreate the event notification

Delete the event notification from the Amazon S3 console, and then add the notification again. This adds the appropriate permissions to your Lambda function's resource-based policy.

Add permissions using the AWS CLI

Use the Lambda AddPermission API to add the appropriate invoke permissions to your Lambda function's resource-based policy. Run this command from the AWS CLI:

$ aws lambda add-permission --function-name myLambdaFunction --principal s3.amazonaws.com \
--statement-id S3StatementId --action "lambda:InvokeFunction" \
--source-arn arn:aws:s3:::myS3Bucket \
--source-account accountId

Note: Replace myLambdaFunction with the name of your Lambda function. Replace S3StatementId with a unique value to differentiate the statement from others in the same policy. Replace arn:aws:s3:::myS3Bucket with the Amazon Resource Name (ARN) of your S3 bucket. Replace accountId with your AWS account ID.

Important: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

For more information, see Configure Amazon S3 to publish events and Granting function access to AWS services.