Reputation: 417
sts:assumed role can't access lambda running inside vpc
I have a issue with my lambda function which is running inside a generic vpc. The lambda function basically query the dynamodb table and issues requests to retrieve s3 objects from glacier. It runs fine when I don't specify the VPC in lambda, but when I do it gives me error:
"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/NLM-INT-draps-lambda-role/retrieval-1 is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/ContentType-LastChecked-index"
the role permission is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:RestoreObject",
"s3:ListObjects",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::nlm-qa-int-draps-bucket",
"arn:aws:s3:::nlm-qa-int-draps-bucket/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log",
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/item_status-index",
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/ContentType-LastChecked-index"
],
"Effect": "Allow"
},
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:123456789012:function:nlm-int-draps-us-east-1-upload",
"arn:aws:lambda:us-east-1::function:retrieval-1",
"arn:aws:lambda:us-east-1:123456789012:function:final_lambda"
],
"Effect": "Allow"
}
]
}
and the role also have a Trust Relationship policy that would allow lambda to run automatically via cloudevent on above role's behalf:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I should also note that even when I give lambda AdministratorAccess role permission it still fails if I run the lambda inside the VPC, so that leads me to believe the issue might not be permission related.
In another lambda function which also ran inside the same VPC triggered by S3 PUTS to write to dynamodb I had to create an dynamodb endpoints for the vpc to access dynamodb, so I think this issue might be related. any help is appreciated, thanks!
Upvotes: 1
Views: 2020
Answers (1)
Reputation: 269826
Given the description of your situation, it appears that the VPC Endpoint configuration is causing some problems with this Lambda function. You'll either need to diagnose the cause or simply remove the VPC Endpoint.
To give Internet access to an AWS Lambda function that is linked to a VPC (eg to access DynamoDB endpoints), you will need one of the following:
- The AWS Lambda function configured to use a Private Subnet that has a route table entry pointing to a NAT Gateway in the Public Subnet, OR
- An Elastic IP address assigned to the Elastic Network Interface (ENI) of the Lambda function that appears in the VPC
This would avoid the need for you to configure a VPC Endpoint for DynamoDB.
Upvotes: 3
Related Questions
- An error occurred (AccessDenied) when calling the AssumeRole operation
- Lambda function is not authorized to perform sts:AssumeRole
- Assumed role in AWS Lambda, access denied on SSM call
- "profile file cannot be null" when trying to assume role from AWS Lambda
- IAM Role limit sts:AssumeRole to one AWS Lambda function
- Not authorized to perform: sts:AssumeRole on resource
- AWS Lambda service can't access target group when VPC is enabled
- API Gateway does not have permission to assume the provided role, yet role seems to have them attached (sts assume role)
- STS AssumeRole error: AWS Access Key "does not exist in our records"
- AWS Lambda : Even after STS:AssumeRole was successful, the lambda function still uses the old IAM role