75

I am trying to deploy to Lambda@Edge within AWS, but when I click on 'Deploy' I get this error message:

Correct the errors below and try again.

Your function's execution role must be assumable by the edgelambda.amazonaws.com service principal.

enter image description here

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
dagda1
  • 26,856
  • 59
  • 237
  • 450
  • The screenshot above has been clipped to omit the text at the bottom which currently states "Lambda will add the necessary permissions for Amazon CloudFront to invoke your Lambda function from this trigger." - this statement is NOT correct. – symcbean May 31 '23 at 13:06

3 Answers3

136

From the Lambda@Edge IAM Role documentation:

You must create an IAM role that can be assumed by the service principals lambda.amazonaws.com and edgelambda.amazonaws.com. This role is assumed by the service principals when they execute your function. For more information, see Creating the Roles and Attaching the Policies (Console) in the topic "AWS Managed Policies for Job Functions" in the IAM User Guide.

You add this role under the Trust Relationship tab in IAM (do not add it under the Permissions tab).

Here's an example role trust policy:

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "Service": [
               "lambda.amazonaws.com",
               "edgelambda.amazonaws.com"
            ]
         },
         "Action": "sts:AssumeRole"
      }
   ]
}

Note : If you're doing this via the AWS Console then you have to refresh the browser after you update your IAM Role Credits: from comments @AJB

Tarun Gupta
  • 6,305
  • 2
  • 42
  • 39
Mark B
  • 183,023
  • 24
  • 297
  • 295
  • 75
    Note Bene: If you're doing this via the AWS Console then you have to refresh the browser after you update your IAM Role. The console seems to somehow cache the check and keeps throwing the error even after you've adjusted the IAM Role. – AJB Feb 14 '19 at 23:11
  • 15
    Thanks for the pointer. I was confused because the Lambda automatically created the role but not the trust relationship. I just needed to go into the IAM console, find the auto-generated role, and modify the trust relationship to include "edgelambda.amazonaws.com". – Nogwater Mar 30 '19 at 20:47
  • 1
    That is not a legal trust policy, "This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies" – Cerin Oct 06 '19 at 14:09
  • 2
    Ah, I see now. You're wording is confusing. You're either adding a role nor a policy, as you suggest. The role is automatically created when you create the lambda function. What you really mean is you're editing the lambda function's role by adding this trust policy. – Cerin Oct 06 '19 at 14:16
  • 3
    @Cerin This role is copied directly from the AWS documentation I linked at the top of my answer: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-edge-permissions.html Note that it says "You add this role under the **Trust Relationship** tab in IAM (do not add it under the **Permissions** tab)." – Mark B Oct 06 '19 at 14:17
  • ALSO, future readers: note this is a LIST! Your trust relationship may already be set up: but for one service, not BOTH!!! – RyanWilcox Dec 21 '20 at 03:08
  • 1
    I added edgelambda.amazonaws.com to the policy via the Trust Relationship tab in IAM (as accessed via the correct Role in the Lambda Permissions tab) and am still getting the error when I try to deploy to Lambda@Edge. Is there a propagation delay? – Geyser14 Dec 30 '20 at 02:40
  • 2
    UPDATE: Yes, there is a delay, apparently. 12 hours later and it works. – Geyser14 Dec 30 '20 at 16:24
  • I had to delete the generated role, since it didn't work. Created a brand new one, filled this answer in, and it mysteriously worked. – Lucius Kaye Nov 19 '21 at 21:39
  • last point saved , refresh – Nasif Noorudeen Jul 30 '22 at 20:27
14
  1. Just go to your lambda function, Click the configuration tab -> then the permission tab (from the left menu) -> Click on your role name
  2. Then it will navigate to the relevant IAM role page.
  3. Click Trust Relationships Tab
  4. Click on the Edit policy button and add the content that @Mark mentioned.
Elshan
  • 7,339
  • 4
  • 71
  • 106
2

This video https://www.youtube.com/watch?v=BZzEXVkVOM8 explains the issue.

Issue: 5:39 enter image description here

And the resolution 6:33 enter image description here

Alan
  • 9,167
  • 4
  • 52
  • 70