Can't create a Lambda function with a custom role HR which having AWSLambdaFullAccess policy

Question

I have created a role HR from the root account in AWS, for that user i have attached the below roles

Now when i am login in the user account and trying to create a function in AWS Lambda it is giving me the error

You are not authorized to perform: iam:CreateRole

I don't understand how to solve this and where i am doing the wrong.PLease help .

Answer 1

This is happening because when your new user is creating the Lambda, they are not specifying an existing role for Lambda to use. In this case, the Lambda service is trying to create a new IAM role with the basic execution policy that it can attach to that Lambda function.

To solve this you have a couple of options:

1. Give your new IAM user permission to create roles. This could be accomplished by adding a policy to your new that grants the iam:CreateRole permission. You could just also add the IAMFullAccess managed role. If you do this, it is best practice to also setup permission boundaries for that user to restrict what kind of IAM permission they can add to their create IAM resources.

2. You could pre-create a Lambda execution role with your root/admin user that the other user could select in the Lambda console when they are creating their new Lambda function. At minimum, this new role would need the AWSLambdaBasicExecutionRole managed policy attached to it. Once that is created, the other other should see it in the dropdown as a choice to associate to their new Lambda function and they can choose it instead of asking Lambda to create a brand new role.

Hope that helps.