aws lambda update-function-configuration receives AccessDeniedException

Question

I want to grant vpc access for my lambda function. I use the following aws cli command.

aws lambda update-function-configuration \
--function-name SampleFunction \
--vpc-config SubnetIds=subnet-xxxx,SecurityGroupIds=sg-xxxx

But I receive the following error:

An error occurred (AccessDeniedException) when calling the UpdateFunctionConfiguration operation: Your access has been denied by EC2, please make sure your request credentials have permission to DescribeSecurityGroups for sg-xxxx. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.

I have granted the following permission to both my lambda role and the user who execute the aws command.

    - "ec2:CreateNetworkInterface"
    - "ec2:DescribeNetworkInterfaces"
    - "ec2:DeleteNetworkInterface"
    - "ec2:DescribeSecurityGroups"

I further tried to grant full access to both the lambda role and the user. But still received the same error

Can anyone suggest what else I can try?

Answer 1

The trick is to add the pipeline / worker role / user which is deploying the lambda function) have access to network related policies. The lambda function should itself suffice with managed policy - AWSLambdaVPCAccessExecutionRole

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

Action:
  - ec2:DescribeSecurityGroups
  - ec2:DescribeSubnets
  - ec2:DescribeVpcs
Effect: Allow
Resource: '*'

Answer 2

Both the Lambda funtion's role and the user role (either cloudformation or cmline user) must have:

          - ec2:CreateNetworkInterface
          - ec2:DescribeNetworkInterfaces
          - ec2:DeleteNetworkInterface
          - ec2:DescribeSecurityGroups
          - ec2:DescribeSubnets

or ec2:* if ok for your use case'security

I had the same issue deploying a lambda with a VPC config using SAM/cloudformation and resolved it by adding this above.

on github issue some people say it is because of cloudformation order creation it is not (or maybe not anymore because I tested adding 20 dummy resource and still the same issue only resolved by adding the permissions above)

cheers,

Answer 3

I experienced the same issue. Despite the IAM policy for the user having the required permissions, I could not use the aws cli to crate a lambda function with a VPC config (aws lambda create-function) or modify an existing function to add a VPC config (aws lambda update-function-configuration).

The only way I could get this to work was to create the lambda function without a VPC config. I then modified the function to add the VPC config information (vpc, subnet and security groups) via the AWS console (in Lambda > Fucntions > My Function > Network). I was only able to use the console to do this, introducing a manual step in an otherwise fully automated process.

To answer some of the questions above about which user needs the ec2:DescribeSecurityGroups and related permissions. It is the user running the cli command or logged in to the console. The function does not need a policy providing these permissions. The only special permissions needed for a function with a VPC config are:

• ec2:CreateNetworkInterface
• ec2:DescribeNetworkInterfaces
• ec2:DeleteNetworkInterface

These allow the function to create ENIs within your VPC using the subnet and security group you provide as described here.

Answer 4

Your users IAM policy needs further permissions.

For example ec2:CreateSecurityGroup & etc. Have a look at this documentation to add requred permissions.