Error Message connecting Lambda VPC with DocumentDb: The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Question

I want to access DocumentDb in my Lambda function. I try to configure my VPC in the Edit VPC page for my lambda function but I get this error message that stops me;

> The provided execution role does not have permissions to call CreateNetworkInterface on EC2
How do I fix this?

Accepted Answer

Hi,

The Lambda function execution role must have permissions to create, describe and delete ENIs. AWS Lambda provides a permissions policy, AWSLambdaVPCAccessExecutionRole, with permissions for the necessary EC2 actions (ec2:CreateNetworkInterface, ec2:DescribeNetworkInterfaces, and ec2:DeleteNetworkInterface) that you can use when creating a role

Simply add these permissions into the Lambda IAM roles policy as below:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}

```

See this also: https://repost.aws/knowledge-center/lambda-permissions-issues.

Hope it helps and if it does, I would appreciate answer to be accepted, so that community can benefit for clarity when searching for similar issues, thanks ;)

Error Message connecting Lambda VPC with DocumentDb: The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Relevanter Inhalt