Why do I get the error "Unable to validate the following destination configurations" when creating an Amazon S3 event notification to trigger my Lambda function?
Last updated: 2020-10-06
I'm trying to create an Amazon Simple Storage Service (Amazon S3) event notification to trigger my AWS Lambda function. Why am I getting the error "Unable to validate the following destination configurations. Not authorized to invoke function"?
Generally, this error means that your S3 bucket doesn't have the permission to invoke a Lambda function. The required permissions are automatically added to a resource-based policy for your function when you use the Amazon S3 console to configure an event notification for Lambda or add a trigger to your function from the Lambda console.
The error can occur when:
- A Lambda function's resource-based policy is deleted or removed, and you try to save changes to an Amazon S3 event notification for that function.
- An S3 bucket has an existing event notification for a Lambda function that doesn't have the required permissions in its resource-based policy, and you try to save a new event notification in that S3 bucket.
- A new Amazon S3 event notification is added from AWS SDK, AWS Command Line Reference (AWS CLI), or AWS CloudFormation stack, and the function's resource-based policy doesn't have the required permissions.
Note: If you fix the permissions and Amazon S3 event notifications still don't trigger your Lambda function, see Why doesn't my Amazon S3 event notification trigger my Lambda function?
Do either of the following:
Recreate the event notification
Add permissions using the AWS CLI
$ aws lambda add-permission --function-name myLambdaFunction --principal s3.amazonaws.com \ --statement-id S3StatementId --action "lambda:InvokeFunction" \ --source-arn arn:aws:s3:::myS3Bucket \ --source-account accountId
Note: Replace myLambdaFunction with the name of your Lambda function. Replace S3StatementId with a unique value to differentiate the statement from others in the same policy. Replace arn:aws:s3:::myS3Bucket with the Amazon Resource Name (ARN) of your S3 bucket. Replace accountId with your AWS account ID.
Important: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.