Reputation: 327
resource handler returned message: "The role defined for the function cannot be assumed by Lambda"
This is my lambda cf template, when I deploy it to cloudformation, I got this error, I googled it but didn't find a answer to solve my problem, can anyone help me with that?
Resource handler returned message: "The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: b1484f34-b9b3-4000-af95-5a483649fb40, Extended Request ID: null)" (RequestToken: 9da1e852-6e03-80c5-e72c-cb978a6bce0f, HandlerErrorCode: InvalidRequest)
ConfigurationLambdaRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: 'configuration-sqs-lambda1'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
- s3.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSQSFullAccess
- arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
ConfigurationLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Description: 'configuration service with lambda'
FunctionName: 'configuration-lambda1'
Handler: lambda.handler.EventHandler::handleRequest
Runtime: java8
MemorySize: 128
Timeout: 120
Code:
S3Bucket: configurationlambda
S3Key: lambda-service-1.0.0-SNAPSHOT.jar
Role: !GetAtt ConfigurationLambdaRole.Arn
ConfigurationLambdaInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Fn::GetAtt:
- ConfigurationLambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: "sqs.amazonaws.com"
SourceArn: 'arn:aws:s3:::configurationlambda'
Upvotes: 1
Views: 5391
Answers (1)
Reputation: 3387
Your role does not allow Lambda service to assume it. Pretty much what it says on the tin.
A simplified explanation is that Lambda service assumes IAM role in your function's execution environment, and the environment will have necessary permissions and access keys while executing the function code. More details here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
Therefore handler role AssumeRolePolicyDocument should have similar layout:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Upvotes: 1
Related Questions
- CloudFormation Lambda template, Expecting role to be string, when using Ref or GetAtt
- CloudFormation is not authorized to perform: iam:PassRole on resource
- CloudFormation - not able to create Lambda Function
- Can't invoke lambda function by a custom cloudformation resource
- AWS lambda cannot assume a role triggered by cloudformation
- Lambda Resource in CloudFormation Template Reports CodeUri as Invalid
- CloudFormation: The role defined for the function cannot be assumed by Lambda
- Can't deploy Lambda Function in AWS
- Bad handler when deploying Lambda function via CloudFormation ZipFile
- AWS CloudFormation custom lambda function stuck in create state