AWSLambdaBasicExecutionRole not able to describe instances

Question

I am trying to write a basic lambda function to start and stop ec2 instaces and following is my code and i created a role by choosing existing AWSLambdaBasicExecutionRole but i am getting following error.

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.: ClientError

import boto3
ec2 = boto3.client('ec2')
# get the list of all the ec2 instances
def get_all_ec2_ids():
    response = ec2.describe_instances(DryRun=False)
    instances = []
    for reservation in response["Reservations"]:
        for instance in reservation["Instances"]:
            # This sample print will output entire Dictionary object
            # This will print will output the value of the Dictionary key 'InstanceId'
            instances.append(instance["InstanceId"])
    return instances

Answer 1

First of all, AWSLambdaBasicExecutionRole is a POLICY not a role despite what its name implies. And that policy gives only the following permissions:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

This, as you can see, does NOT provide any permission to DescribeInstances. If you were to add the AWS managed policy:

AmazonEC2ReadOnlyAccess

as an example, that would give your Lambda the DescribeInstances permission as well as a few others. Depending on what you ultimately want the Lambda to do, you may need to add a different policy or better yet, create your own custom policy that will grant exactly what permissions your Lambda needs to run.