I'm a newbie in AWS and I received this message while running a lambda function. I've read the possibile solutions here The role defined for the function cannot be assumed by Lambda but I did't understand them. How should I better procede?
Asked
Active
Viewed 3,727 times
0
-
What is the role? You must have used-non default role, so exactly what did you do? – Marcin May 13 '21 at 10:26
-
How did you create the function? In the console? CLI? CloudFormation? The console should have taken care of this for you, so I assume another way. It sounds like the trust relationship for the role doesn't grant access to lambda. – Jason Wadsworth May 13 '21 at 13:57
-
Basically I have one .py file in a S3 bucket and I wanna run it. This file is able to connect to an API and obtain a list of values. My goal is to automate this process using a lambda function, an s3 bucket, a cloudwatch and a dynamodb – V_20_sl May 15 '21 at 15:31
1 Answers
1
This means you have configured your lambda to run using a role. But when it runs, the AWS lambda service has not been granted permission to assume the role you configured. Essentially, AWS Lambda needs to be granted permission to assume the role you chose.
Suppose you had a role with Administrator access. Suppose you are a non-administrator developer who is creating a lambda. If you have the ability to create a lambda and specify the role with Administrator access as the one to run your lambda, you can effectively do anything an Administrator can do. It would be a security breach. If whomever owns the Administrator role wants to grant the AWS lambda service permission to use the role, then they would effectively be granting you permission to run things as an Administrator. But unless/until they grant the permission, lambda won't be able to run under that role.
See https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html. The role you want to use needs to allow lambda to assume it, which is done by this sort of policy:
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
That statement effectively says, "allow the lambda service to assume this role." So to proceed, you should verify that the role you've chosen to run your lambda has a policy such as this. Choose the role in IAM and look at the Trust Relationships tab. It needs to list lambda.amazonaws.com--if it doesn't you need to edit it and add that.
Also, lambdas run based on various triggers--some triggered by a person, but others triggered by an event. So because events can trigger the lambda to run, that means you must grant the aws lambda service the permission to use the role you have specified for the lambda.
Shawn
- 8,374
- 5
- 37
- 60
-
Thank you for the answer. Let's say that I want to run a file that is present in a S3 bucket using lambda. I create a role for S3full access but this file is also requesting an access with an API to a site...what kind of permission policy should I use? – V_20_sl May 15 '21 at 15:44
-
So if the role running your lambda has S3 full access and you have checked that the Trust Relationship allows lambda.amazonaws.com to assume the role, then you should be able to fetch the file from S3. As for executing it (I assume it is a script) the script permissions needed would depend on what it is doing. – Shawn May 17 '21 at 15:26