Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

(InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda

1

I get the following error when trying to create a function and assign a newly created role. I'm printing the ARN and it looks OK.

Using "Node.js 16.x"

2023-03-17T19:26:40.245Z	342fa261-e9d8-426d-9231-60d9409a76dc	INFO	Role ARN is arn:aws:iam::XXXX:role/MQTT-SAVE-ROLE
2023-03-17T19:26:40.446Z	342fa261-e9d8-426d-9231-60d9409a76dc	INFO	Role ARN is arn:aws:iam::XXXX:role/MQTT-SAVE-ROLE
2023-03-17T19:26:41.064Z	342fa261-e9d8-426d-9231-60d9409a76dc	INFO	InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.


const AWS = require('aws-sdk');
const path = require('path');
const s3 = new AWS.S3();
const lambda = new AWS.Lambda();
const iam = new AWS.IAM();

exports.handler = async (event) => {
    // TODO implement
  
    //Create Role
    var info = {
        name: "MQTT-SAVE-ROLE",
        PolicyArn: ["arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"],
    };
    var role = await createRole(info);
    console.log("Role ARN is", role); 
    
    //Create Function
     info = {
      name: "mqtt_save",
      role: role
    };
    var respCreate = await createFunction(info);
   
    return;
};

async function createRole(info) {
    var role;
    
     var myPolicy = {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    };
    
    var createParams = {
     AssumeRolePolicyDocument: JSON.stringify(myPolicy),
     RoleName: info.name
    };
   
    
    try {
        var respIam = await iam.createRole(createParams).promise();
        console.log("Role ARN is", respIam.Role.Arn);           // successful response
        role = respIam.Role.Arn;
        
        //attach Role Policy
        for(var i = 0; i< info.PolicyArn.length; i++ ){
            
            var policyParams = {
                     PolicyArn: info.PolicyArn[i],
                     RoleName: info.name
                    };
            await iam.attachRolePolicy(policyParams).promise();
        }
        
        
    } catch (err) {
        console.log(err, err.stack); // an error occurred
        return;
    }
    
    return role;
    
}

async function createFunction(info) {
  
  //Create Function
  var params = {
        Code: { 
          S3Bucket: 'base-lambda-code',
          S3Key : info.name + '.zip',
        },
        FunctionName: info.name + '_test', 
        Description: 'Function used to save data from MQTT to Dynamo DB',
        Role: info.role, 
        Handler: 'index.handler',
        Runtime: "nodejs16.x" ,
        PackageType: "Zip",
        Publish: true,
        Timeout: '60',
  };
  
  try {
        var response = await lambda.createFunction(params).promise();
        console.log("ARN: ",response.FunctionArn );
        console.log("State: ", response.State  ); 
    } catch (err) {
        console.log(err, err.stack); // an error occurred
        return;
    }
        

    return response;
  
}
  • RIpe
    vor 5 Monaten

    Hi just faced something similar to this, even boto3 waiter calls are useless, I had to add a 9s delay right after role creation and then create function worked!

Themen
ServerlosKalkulationSicherheit, Identität & Konformität
Tags
AWS LambdaIAM-Richtlinien
Sprache
English
rePost-User-8626756
gefragt vor einem Jahr2345 Aufrufe
2 Antworten
0

Hi, I don't know Node.js but it seems to me the only policy in your code for the role is "myPolicy" which is the Trust (AssumeRole) policy? I can't see any execution permissions, e.g. use of a managed policy like AWSLambdaBasicExecutionRole or your own custom one.

EXPERTE
skinsman
beantwortet vor einem Jahr
  • rePost-User-8626756
    vor einem Jahr

    Thank you for the response Skisman, but I don't think that is the problem that I'm having right now, If I create the role and then run the function to add it to the lambda it works, it is just when I do it all in the same function. It looks like it needs to "wait until active" (I haven't found this option), I also tried adding delays but I get the same result

0

The issue is not about node js. This is the error: 2023-03-17T19:26:41.064Z 342fa261-e9d8-426d-9231-60d9409a76dc INFO InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda. Which means that we need to add lambda service in the trust policy as explained [here] (https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html)

One option is to dd this service to the the trust policy like this: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "sagemaker.amazonaws.com", "lambda.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

DingusTinku
beantwortet vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt