Reputation: 31
Issue while adding VPC to AWS Lambda function: The provided execution role does not have permissions to call CreateNetworkInterface on EC2
So, something weird is happening which I can't seem to wrap my head around.
I have a lambda function, whose execution role has the AWS Managed AWSLambdaVPCAccessExecutionRole in it.
This role has ec2:CreateNetworkInterface action in it. But, when I try adding a vpc to the lambda, I get the error:
"The provided execution role does not have permissions to call CreateNetworkInterface on EC2"
As mentioned in many stack overflow threads, the AWSLambdaVPCAccessExecutionRole is part of the lambda function's execution role, not the IAM user's role. But still this issue comes up. I have a SystemAdministrator account through which I am trying to add the VPC. One of the things that we have tried so far:
- Using an AWSAdministrator account. This account was not able to add the concerned VPC to the lambda. This account, however, was able to add another VPC to the lambda function. My SystemAdministrator account was not able to add the second VPC itself.
This issue is coming up in the organization's prd account. With the similar setup, we were able to deploy it in non-prd account though.
If anyone has any advice to solve or triage this issue, then that would be great. Let me know if you need any additional details about the set up.
Upvotes: 0
Views: 38
Answers (1)
Reputation: 17535
I've run into this and it's frustrating that Amazon hasn't fixed this or at least documented how to work around it.
If you had AWS create the role that runs this Lambda then you have an "AWSLambdaBasicExecutionRole" that is used to run the Lambda. That has the CreateLogGroup, CreateLogStream, and PutLogEvents so that the Lambda can log. But when you put it into a VPC you need more. I have another role that contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
}
]
}
That allowed me to put the Lambda into a VPC and remove it from it. I find it interesting that you have to know that the Lambda must be deployed onto some EC2 somewhere and you need some permissions to update it.
Note that if you put the Lambda into the VPC right away then it automatically creates this role. But if you do it later then you have to have these permissions too.
Upvotes: 1
Related Questions
- Why can't an AWS lambda function inside a public subnet in a VPC connect to the internet?
- The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
- AWS IAM Execution role does not have permissions to call CreateNetworkInterface on EC2 for a specific VPC
- AWS Lambda function can't invoke another Lambda function in the same VPC
- Why can I call an on-VPC aws lambda from an off-VPC aws lambda but not vice versa?
- Why concurrent AWS Lambda (inside VPC) execution is not complaining about IP limit in VPC?
- AWS : Accessing a REST API deployed on EC2 instance from a lambda function ( lambda inside a VPC)
- VPC-enabled Lambda function cannot launch/access EC2 in the same VPC
- AWS Lambda unable to access EC2 port within the same VPC
- .net AWS Lambda function cannot call custom web api endpoint in VPC