The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

Question

When I input any code in this function (e.g. console.log();) and click "Save", an error occurs:

The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

exports.handler = (event, context, callback) => {
  callback(null, 'Hello from Lambda');
  console.log(); // here is my code   
};

I bound the function with Role: lambda_excute_execution(Policy:AmazonElasticTranscoderFullAccess).

And this function is not bound with any triggers now.

And then, I give the role AdministratorAccess Policy, I can save my source code correctly.

This role could run Functions successfully before today.

Does anyone know this error?

Philipp Claßen · Accepted Answer · 2020-07-23T13:30:44.477

265

This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, and ec2:DeleteNetworkInterface (see AWS Forum).

For example, this a policy that allows to deploy a Lambda into a VPC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

edited Jul 23 '20 at 13:30

answered Feb 13 '19 at 11:06

Philipp Claßen

41,306
31
146
239

88

To add to the above comment, the same error also pops up if your LambdaExecutionRole does now have the AWSLambdaVPCAccessExecutionRole policy attached to it. – portatlas Mar 26 '20 at 14:40
14

Can you be more specific than `Resource: *`? – falsePockets Dec 29 '21 at 04:08
1

Only 3 actions were enough in my case: `{Create,Describe,Delete}NetworkInterface` – Bexultan Myrzatay May 11 '22 at 08:38
13

To clarify this answer: this error can occur if you ORIGINALLY deployed the lambda without a VPC, and NOW you're trying to add the lambda to a VPC. Apparently, in this scenario, AWS doesn't include these permissions, presumably on the principle of "least privilege". – Mike B Jul 05 '22 at 23:59

score 103 · Answer 2 · answered Sep 24 '20 at 10:05

103

If you are using terraform, just add:

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
    role       = aws_iam_role.lambda.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

answered Sep 24 '20 at 10:05

Stéphane Bruckert

21,706
14
92
130

Can you advice how to do this with `aws-sam` ? – PeakGen Jul 16 '21 at 15:22

fusion27 · Answer 3 · 2022-02-16T16:20:56.060

via Managed Policy

To grant Lambda necessary permissions to dig in to a VPC where a production RDS db resides in a private subnet.
As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know use of IAM Managed Policies is an AWS-recommended best-practice).
This is for Lambdas with a service role already attached.

AWS CLI

1. Get Lambda Service Role

Ask Lambda API for function configuration, query the role from that, output to text for an unquoted return.

aws lambda get-function-configuration \
    --function-name <<your function name or ARN here>> \
    --query Role \
    --output text

return, take your-service-role-name to #2
```
your-service-role-name
```

2. Attach Managed Policy `AWSLambdaVPCAccessExecutionRole` to Service Role

aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

CDK 2 TypeScript

const lambdaVPCExecutionRole:iam.Role = new iam.Role(this, `createLambdaVPCExecutionRole`, {
    roleName        : `lambdaVPCExecutionRole`,
    assumedBy       : new iam.ServicePrincipal(`lambda.amazonaws.com`),
    description     : `Lambda service role to operate within a VPC`,
    managedPolicies : [
        iam.ManagedPolicy.fromAwsManagedPolicyName(`service-role/AWSLambdaVPCAccessExecutionRole`),
    ],
});

const lambdaFunction:lambda.Function = new lambda.Function(this, `createLambdaFunction`, {
    runtime : lambda.Runtime.NODEJS_14_X,
    handler : `lambda.handler`,
    code    : lambda.AssetCode.fromAsset(`./src`),
    vpc     : vpc,
    role    : lambdaVPCExecutionRole,
});

"we all know use of IAM Managed Policies is an AWS-recommended best-practice" - the non-VPC managed policy for lambda execution used to grant full read-write access to all objects in S3. Don't use those policies without looking at them first. — falsePockets, Dec 29 '21 at 03:08
This is lovely! I got error messages using `ManagedPolicy.fromAwsManagedPolicyName('AWSLambdaVPCAccessExecutionRole')`. Then saw that you needed to prefix it with `service-role`and that unblocked me. Thanks a lot. — Malik Alimoekhamedov, Aug 08 '23 at 07:56

AO_ · Answer 4 · 2023-08-14T13:35:03.187

This is actually such a common issue.

You can resolve this by adding a custom Inline Policy to the Lambda execution role under the Permissions tab.

Just add this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

There's a full tutorial with pictures here if you need more information (Terraform, CloudFormation, and AWS Console) or are confused: https://ataiva.com/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/

Additionally, a more recent sequence of steps follows:

Under your Lambda Function, select "Configuration"
Select "Permissions"
Select the execution role:
Select "Add Permissions"
Create Inline Policy
Select "JSON"
Paste the JSON above and select Review.

`"Resource": "*"` isn't great. Is there something more narrow we can use? — falsePockets, Dec 29 '21 at 03:09

score 21 · Answer 5 · answered Jul 18 '21 at 23:14

It seems like this has been answered many different ways already but as of this posting, AWS has a managed policy. If you just search for the AWSLambdaVPCAccessExecutionRole you will be able to attached that, and this method worked for me.

Here is the arn:

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

score 12 · Answer 6 · answered Jan 18 '22 at 11:29

12

Just go to execution role -> Attach policy -> Search for 'AWSLambdaVPCAccessExecutionRole' and add it.

answered Jan 18 '22 at 11:29

JackSparrow63

121
1
4

This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/30846153) – Register Sole Jan 21 '22 at 03:41
How is this different from the other answers suggesting you attach the `AWSLambdaVPCAccessExecutionRole`? – Joshua Schlichting Feb 15 '22 at 20:37
This short answer is direct to the point and solved similar issue. – yjsa Jul 21 '22 at 07:55

Jani Siivola · Answer 7 · 2021-12-13T21:09:35.727

An example for Cloudformation and AWS SAM users.

This example lambda role definition adds the managed AWSLambdaVPCAccessExecutionRole and solves the issue:

Type: "AWS::IAM::Role"
Properties:
  RoleName: "lambda-with-vpc-access"
  ManagedPolicyArns:
    - "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action:
          - sts:AssumeRole
        Principal:
          Service:
            - lambda.amazonaws.com

score 4 · Answer 8 · answered Jan 16 '23 at 15:44

After a bit of experimentation, here is a solution using "least privilege". It's written in Python, for the AWS CDK. However the same could be applied to normal JSON

iam.PolicyDocument(
    statements=[
        iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["ec2:DescribeNetworkInterfaces"],
            resources=["*"],
        ),
        iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["ec2:CreateNetworkInterface"],
            resources=[
                f"arn:aws:ec2:{region}:{account_id}:subnet/{subnet_id}"
                f"arn:aws:ec2:{region}:{account_id}:security-group/{security_group_id}",
                f"arn:aws:ec2:{region}:{account_id}:network-interface/*",
            ],
        ),
        iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=["ec2:DeleteNetworkInterface"],
            resources=[f"arn:aws:ec2:{region}:{account_id}:*/*"],
        ),
    ],
),

score 2 · Answer 9 · answered Jul 26 '22 at 19:58

Just cause there aren't enough answers already ;) I think this is the easiest way. If you're using the web admin console, when you're creating your Lambda function in the first place, down the bottom just expand 'Advanced Settings' and check 'Enable VPC' & choose your vpc... Simple! Before doing this, my connection to my RDS proxy was timing out. After doing this (and nothing else) - works great!

score 1 · Answer 10 · answered Dec 31 '20 at 19:37

Here's a quick and dirty way of resolving the error.

Open IAM on AWS console, select the role that's attached to the Lambda function and give it the EC2FullAccess permission.

This will let you update the Lambda VPC by granting EC2 control access. Be sure to remove the permission from the role, the function still runs.

Is it more or less secure than leaving some permissions attached permanently? Debatable.

score 1 · Answer 11 · answered Jan 26 '23 at 17:42

If you are using SAM you just need to add to the Globals in the Template, like this:

Globals:
  Function:
    VpcConfig:
      SecurityGroupIds:
        - sg-01eeb769XX2d6cc9b
      SubnetIds:
        - subnet-1a0XX614
        - subnet-c6dXXb8b
        - subnet-757XX92a
        - subnet-8afXX9ab
        - subnet-caeXX7ac
        - subnet-b09XXd81

(of course, you can put all in variables, or parameters!)

and then, to the Lambda Function, add Policies to the Properties, like this:

  BasicFunction:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
      - AWSLambdaVPCAccessExecutionRole
      - AWSLambdaBasicExecutionRole

score 0 · Answer 12 · answered Dec 19 '16 at 14:37

It is definitely a strange error, but are you sure the example code you added is the one you're using in your lambda?

Because in your code, you are trying to log something in your lambda after returning control via the callback. In other words, first you told your lambda that you're done. Next, while it is busy shutting down and returning your results, you try to do some logging...

So first, I'd try this:

exports.handler = (event, context, callback) => {
    console.log('this is a test');
    // do stuff
    callback(null, 'Hello from Lambda'); // only do a callback *after* you've run all your code
};

And see if that fixes the problem.

Thanks! It's OK now. It seems some Lambda bugs. I did nothing, but two days after It's become OK. — fish, Dec 20 '16 at 04:26

The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

12 Answers12

via Managed Policy

AWS CLI

1. Get Lambda Service Role

2. Attach Managed Policy `AWSLambdaVPCAccessExecutionRole` to Service Role

CDK 2 TypeScript

Linked

The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

12 Answers12

via Managed Policy

AWS CLI

1. Get Lambda Service Role

2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole to Service Role

CDK 2 TypeScript

Linked

2. Attach Managed Policy `AWSLambdaVPCAccessExecutionRole` to Service Role