sam local invoke executes with AWS CLI profile instead of provided IAM role

Description:

A developer on our sam project attempted to build and locally invoke a Function resource. The (Python 3.8) function in question calls list_users. Her IAM user role does not have the appropriate permissions; however, the ARN of a role that does was provided in the function’s Role in the project’s template.yaml. This role has been used in other functions and seems to be correctly associated with them on deployment.

Her local invocation failed, however, with the following error: An error occurred (AccessDeniedException) when calling the ListUsers operation: User: [her IAM user ARN] is not authorized to perform: cognito-idp:ListUsers on resource: [the user pool ARN]

Steps to reproduce:

Using the IAM console, create an IAM role with the appropriate permissions for a Lambda function to assume it and to call list_users on a user pool. Create an IAM user without those permissions. Sign into the AWS CLI as the IAM user without list_users. Add a function to a sam project and pass the ARN of the list_users role as its Role parameter. sam build and sam local invoke that function.

Observed result:

AccessDeniedException

Expected result:

The function should execute with the provided role

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: OS X Big Sur version 11.1
2. sam --version: 1.23.0
3. AWS region: us-east-1

I am aware that it’s not the best practice to grant developers the ability to assume permissions through Lambda functions that they wouldn’t be granted normally. In this case, I am not concerned with the scope of access but concerned that a more-permissive IAM user role might let a function with a restrictive IAM role work locally but hit AccessDeniedException on deployment.