Cannot fix The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Question

I am trying to deploy with VPC and this is my serverless.yaml

vpcSettings: &vpcSettings
  vpc: ${self:custom.allVpcSettings.${self:provider.stage}.vpc}

provider:
  name: aws
  runtime: nodejs10.x
  stage: ${opt:stage, 'local'}
  region: us-west-1
  memorySize: 256
  timeout: 30
  deploymentPrefix: fs-sls-${self:provider.stage}-deploy
  deploymentBucket: fs-serverless-deployment
  variables: ${file(.env.${opt:stage, self:provider.stage}.json)}
  environment:
    NODE_ENV: ${self:provider.variables.NODE_ENV}

functions:
  ping:
    handler: src/handler.ping
    description: Let us know if the service is up and running
    events:
      - http:
          path: ping
          method: get
          cors: true
  graphql:
    handler: src/handler.graphqlHandler
    <<: *vpcSettings
    description: One function where all GQL request comes
    memorySize: 1024
    events:
      - http:
          path: graphql
          method: post
          cors: true
      - http:
          path: graphql
          method: get
          cors: true

plugins:
  - serverless-offline

custom:
  serverless-offline:
    port: 6000
  allVpcSettings:
    local:
      vpc: 'This is a dummy value that should be ignored'
    dev:
      vpc:
        securityGroupIds:
          - sg-xxxxxxxxxxxxxxx
        subnetIds:
          - subnet-xxxxxxxxxxxxxxx
          - subnet-xxxxxxxxxxxxxxx
    prod:
      vpc:
        securityGroupIds:
          - sg-xxxxxxxxxxxxxxx
        subnetIds:
          - subnet-xxxxxxxxxxxxxxx
          - subnet-xxxxxxxxxxxxxxx

It fails with the following error

  Serverless Error ---------------------------------------

  The provided execution role does not have permissions to call CreateNetworkInterface on EC2

  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com

  Your Environment Information ---------------------------
     Operating System:          darwin
     Node Version:              10.16.0
     Framework Version:         1.52.0
     Plugin Version:            2.0.0
     SDK Version:               2.1.1

The user that I created for this purpose has AdministratorAccess as well as AWSLambdaVPCAccessExecutionRole in it's permissions. What else is expected here?

Answer 1

So I fixed it. It means the role of deploying lambda doesn't have permission. So it boils down to the fact to give it the role. First, confirm if you have the role. Check in the image where to look for the role.

Once you don't find it. Which you most likely won't. Take the Role name and goto IAM -> Roles and Search for the role name and add AWSLambdaVPCAccessExecutionRole to the selected role. This should give it the required permission.

Now try deploying the SLS and it should work.

Once you have the role, edit it by adding the

Answer 2

Although the user that you've created to deploy this lambda function has Administrator access, the lambda function itself needs networking permissions if you're deploying it into a VPC.

Try adding these permissions in the provider block of your serverless.yml template:

    - Effect: Allow
      Action:
        - ec2:DescribeNetworkInterfaces
        - ec2:CreateNetworkInterface
        - ec2:DeleteNetworkInterface
        - ec2:DescribeInstances
        - ec2:AttachNetworkInterface
      Resource:
        - *

If that works, you'll want to deploy a more limited permission structure for your production environment.