Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to invoke my Lambda function?

Last updated: 2021-12-09

When I try to create an Amazon Simple Storage Service (Amazon S3) event notification to invoke my AWS Lambda function, I get the following error: "Unable to validate the following destination configurations. Not authorized to invoke function". Why am I getting this error and how do I resolve the issue?

Short description

If your Amazon S3 bucket doesn't have the permissions required to invoke your Lambda function, then Lambda returns the following error:

"Unable to validate the following destination configurations. Not authorized to invoke function"

Note: The required permissions are automatically added to a resource-based policy for your function when you do either of the following:

Common reasons why this error can occur

  • A Lambda function's resource-based policy is deleted or removed and the changes are saved to an Amazon S3 event notification for that function.
  • An S3 bucket has an event notification for a Lambda function that lacks the required permissions, and another event notification is saved in the bucket.
  • A new Amazon S3 event notification is added from any of the following, and the function's resource-based policy doesn't have the required permissions:
    AWS SDK
    AWS Command Line Reference (AWS CLI)
    AWS CloudFormation stack

Note: If you update the permissions and your function still doesn't invoke, see Why doesn't my Amazon S3 event notification invoke my Lambda function?

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Do either of the following.

Recreate the event notification

Delete the event notification from the Amazon S3 console. Then, add the notification again.

Note: Recreating the event notification in the Amazon S3 console adds the appropriate permissions to your Lambda function's resource-based policy.

Add the required permissions to your Lambda function's resource-based policy using the AWS CLI

Use the Lambda AddPermission API to add the required invoke permissions to your Lambda function's resource-based policy. To commit the change, run the following AWS CLI command:

Important: Replace myLambdaFunction with your Lambda function's name. Replace S3StatementId with a unique value to differentiate the statement from others in the same policy. Replace arn:aws:s3:::myS3Bucket with your S3 bucket's Amazon Resource Name (ARN). Replace accountId with your AWS account ID.

$ aws lambda add-permission --function-name myLambdaFunction --principal s3.amazonaws.com \
--statement-id S3StatementId --action "lambda:InvokeFunction" \
--source-arn arn:aws:s3:::myS3Bucket \
--source-account accountId