Reputation: 2238
AWS IAM Execution role does not have permissions to call CreateNetworkInterface on EC2 for a specific VPC
I'm getting this error: Error: Error creating Lambda function: InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2 when trying to create a lambda with IAM permissions like this with custom Lambda role:
...
statement {
sid = "MyCustomLamdaStatementDescribe"
actions = [
"ec2:DescribeNetworkInterfaces",
]
resources = ["*"]
}
statement {
sid = "MyCustomLamdaStatementCreateDelete"
actions = [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:DescribeVpcs"
]
resources = [
"*"
]
condition {
test = "ArnEquals"
variable = "ec2:vpc"
values = [
"arn:aws:ec2:${var.my_region}:${var.my_account_id}:vpc/${var.my_vpc_id}",
]
}
}
...
Creating the lambda works perfectly without any condition (as pointed out in AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2) but I need the role to be able to match the VPC (or ec2:Subnet arn).
Note: I tried the condition.test with ArnEquals and StringEquals.
Upvotes: 2
Views: 6642
Answers (3)
Reputation: 1
The error message you're encountering is related to the Lambda function's role lacking permissions to create a network interface within an EC2 environment, which is required for functions that need to access resources within a VPC.
To fix the issue, you need to add the necessary permissions to the IAM role to allow it to create a network interface. You can do this by creating a new custom policy or by directly attaching the AWSLambdaVPCAccessExecutionRole managed policy to the IAM role.
Upvotes: 0
Reputation: 431
For what it's worth: AWS themselves don't restrict the ec2:DeleteNetworkInterface in their AWSLambdaENIManagementAccess policy.
To quote AWS documentation, that policy:
Provides minimum permissions for a Lambda function to manage ENIs (create, describe, delete) used by a VPC-enabled Lambda Function.
Upvotes: 0
Reputation: 4293
If you want to restrict this to just one VPC, you have to split up each action.
ec2:DescribeNetworkInterfaces can only be used with Resource: * and no Conditions (see docs). But that's relatively harmless on it's own. The others can be restricted.
Here's a solution, in YAML (CloudFormation).
It's not perfect.
In particular I can't figure out how to restrict the resource or apply a condition to ec2:DeleteNetworkInterface. When I try, I get the same error.
- Effect: Allow
Action:
- 'ec2:CreateNetworkInterface'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${SecGrp}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetA}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetB}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetC}'
Condition:
StringEquals:
'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
- Effect: Allow
Action:
- 'ec2:CreateNetworkInterface'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
# VPC condition not supported for this type of resource for this action
- Effect: Allow
Action:
- 'ec2:DeleteNetworkInterface'
Resource:
# I don't know why we need the first
# the docs say the second is sufficient, but it doesn't work
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
# the docs say this is supported, but it's not
# Condition:
# StringEquals:
# 'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
- Effect: Allow
Action:
# this action must have resource: * and no conditions
# cannot be restricted
- 'ec2:DescribeNetworkInterfaces'
Resource:
- '*'
- Effect: Allow
Action:
- 'ec2:AssignPrivateIpAddresses'
- 'ec2:UnassignPrivateIpAddresses'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
Condition:
StringEquals:
'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
Upvotes: 2
Related Questions
- The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
- How to setup IAM policy for AWS Lambda in VPC to resolve error "You are not authorized to perform: CreateNetworkInterface."
- Error creating VPC: UnauthorizedOperation
- IAM role to allow command execution on AWS ECS containers
- Cannot fix "The provided execution role does not have permissions to call CreateNetworkInterface on EC2"
- How to solve "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration
- (specific resource) AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
- Cannot fix The provided execution role does not have permissions to call CreateNetworkInterface on EC2
- Error creating IAM Role: MalformedPolicyDocument: Has prohibited field Resource
- Terraform - how to attach IAM role to invoke Lambda to API Gateway