23

I tried the solutions in this answer but it does not work for me. I am getting the error:

The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4c8d047c-2710-4334-86cd-51b7467c6f08)

Here is the CloudFormation associated with the error:

EventLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub ${DeveloperPrefix}event-lambda-${Environment}-${DeployPhase}
      Handler: EventHandler
      Runtime: java8
      Code:
        S3Bucket: !Ref SharedBucketName
        S3Key: !Sub ${WorkspacePrefix}/event-subscriber-${AppVersion}.jar
        S3ObjectVersion: !Ref EventLambdaS3Version
      Role: !GetAtt EventLambdaRole.Arn
      Environment:
        Variables:
          retry_event_table_name: !Sub "${DeveloperPrefix}${AppName}-${RetryEventTableName}-${Environment}-${DeployPhase}"
          test_enabled: true # TODO: Remove once endpoint provided.
      VpcConfig:
        SecurityGroupIds:
          - !Ref LambdaSecurityGroup
        SubnetIds:
          - Fn::ImportValue: !Sub ${VPCStackName}-SubnetPrivateL
          - Fn::ImportValue: !Sub ${VPCStackName}-SubnetPrivateR
      Timeout: 28
      MemorySize: 256

  EventLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${DeveloperPrefix}${AppName}-${Environment}-${DeployPhase}-EventLambdaRole
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [lambda.amazonaws.com]
            Action: ['sts:AssumeRole']
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: !Sub ${DeveloperPrefix}${AppName}-${Environment}-${DeployPhase}-EventLambdaPolicy
          PolicyDocument:
            Statement:
              - Sid: DynamoDbPermissions
                Effect: Allow
                Action:
                  - dynamodb:PutItem
                Resource: !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DeveloperPrefix}${AppName}-EventRetry-${Environment}-${DeployPhase}'
              - Sid: LambdaVPCPermissions
                Effect: Allow
                Action:
                  - ec2:AttachNetworkInterface
                  - ec2:CreateNetworkInterface
                  - ec2:CreateNetworkInterfacePermission
                  - ec2:DeleteNetworkInterface
                  - ec2:DeleteNetworkInterfacePermission
                  - ec2:DescribeDhcpOptions
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DescribeNetworkInterfacePermissions
                  - ec2:DescribeSubnets
                  - ec2:DescribeVpcs
                  - ec2:DescribeInstances
                Resource: '*'

I have searched for an answer to this and have tried several of the suggestions found but to no avail. I am making any obvious mistakes? I fear I cannot see the forest for the trees right now.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • Just a sanity check here - after a stack is created with this CF template, does the `EventLambdaRole` in IAM indeed have two policy documents attached, each with their respective permissions? – Tom Nijs Nov 05 '19 at 16:50
  • Yes @TomNijs, they do. – Jay Blanchard Nov 05 '19 at 17:12
  • 1
    can you try with manage policy `AWSLambdaVPCAccessExecutionRole` instead of `AWSLambdaBasicExecutionRole` ? – sayboras Nov 05 '19 at 20:59
  • The curious thing is that I have multiple Lambdas in this project and this is *the only one* where I changed this role. I inherited this code from another, so I haven't fully unraveled what was done, but why would only this one Lambda need this role while the others use `AWSLambdaBasicExecutionRole`? – Jay Blanchard Nov 06 '19 at 12:50
  • It's interesting. I just cross checked with what I have. Basically, I am using almost the same as your CF, the only difference is that I am using `AWS:: Serverless::Function` instead of `AWS::Lambda::Function` – sayboras Nov 06 '19 at 12:59

2 Answers2

59

As the lambda is running in VPC, you can use AWSLambdaVPCAccessExecutionRole instead of AWSLambdaBasicExecutionRole. Ideally, it should be the same as what you have. One advantage is less maintenance effort from dev ops view.

! Important The error is not warning us about permissions of the user, but about permissions of the role associated with the lambda function. Make sure that

  1. you have a role for the lambda function and
  2. this role has AWSLambdaBasicExecutionRole permission policy
  3. this role has Trust relationships like the following:

`

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Roman
  • 19,236
  • 15
  • 93
  • 97
sayboras
  • 4,897
  • 2
  • 22
  • 40
2

You must also include the ec2:AssignPrivateIpAddresses and ec2:UnassignPrivateIpAddresses actions in your permissions.

falsePockets
  • 3,826
  • 4
  • 18
  • 37
  • i was pinpointing access and thereby avoiding the managed groups. this is a more specific answer because these are the exact actions missing from op's example. – ir0h Jan 26 '22 at 00:41