Reputation: 344
aws cli cloudformation lambda invalidinput error
I am trying to modify an example of a lambda function in java using this example:
https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/s3-java
But in the process, I started getting random errors so I started deleting the stack and leftover resources and traying again with no lock. So I decided to redownload the example but the errors wont go away.
Even tried aws-nuke but the following error persists when trying to deploy the example:
{
"StackId": "arn:aws:cloudformation:us-east-2:XXXXX:stack/s3-java/XXX",
"EventId": "functionRole-CREATE_FAILED-2021-03-26T22:38:14.278Z",
"StackName": "s3-java",
"LogicalResourceId": "functionRole",
"PhysicalResourceId": "s3-java-functionRole-13JFU76O57RLT",
"ResourceType": "AWS::IAM::Role",
"Timestamp": "2021-03-26T22:38:14.278000+00:00",
"ResourceStatus": "CREATE_FAILED",
"ResourceStatusReason": "ARN AWSLambdaReadOnlyAccess is not valid. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID:XXXXXXX; Proxy: null)",
"ResourceProperties": "{\"ManagedPolicyArns\":[\"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\"arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess\",\"AWSLambdaReadOnlyAccess\",\"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole\",\"arn:aws:iam::aws:policy/AmazonS3FullAccess\"],\"AssumeRolePolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"sts:AssumeRole\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"lambda.amazonaws.com\"]}}]},\"Tags\":[{\"Value\":\"SAM\",\"Key\":\"lambda:createdBy\"}]}"
}
When I go to IAM policies, there is no policy called AWSLambdaReadOnlyAccess. How can I fix this?
Upvotes: 2
Views: 568
Answers (1)
Reputation: 915
After March 1, 2021, the AWS managed policies AWSLambdaReadOnlyAccess and AWSLambdaFullAccess will be deprecated and can no longer be attached to new IAM users. For more information about policy deprecations, see Deprecated AWS managed policies in the IAM User Guide. [1]
The Amazon Resource Name for AWSLambda_ReadOnlyAccess is arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess. You must specify the full ARN. Since you are using an AWS::Serverless::Function in your template, placing AWSLambda_ReadOnlyAccess should solve this issue. I don't know if aws-nuke also deletes AWS Managed Policies, but something to be cautious of
[1] https://docs.aws.amazon.com/lambda/latest/dg/security_iam_troubleshoot.html
Upvotes: 2
Related Questions
- Lambdas on AWS with CloudFormation error:"A version for this Lambda function exists. Modify the function to create a new version."
- aws cloudformation lambda python bad handler
- Lambda destination not being triggered on Lambda error
- Not able to create AWS Lambda using CloudFormation without code
- CloudFormation is not authorized to perform: iam:PassRole on resource
- CloudFormation - not able to create Lambda Function
- AWS CloudFormation CLI - parameters issue
- Lambda Resource in CloudFormation Template Reports CodeUri as Invalid
- CloudFormation: The role defined for the function cannot be assumed by Lambda
- Can't deploy Lambda Function in AWS