'create function' lambda permission issue
Hi, I'm just a developer at work. The company I did my internship is currently developing a startApp project. As a developer I want to create lambda functions. But for this, the access premissions it gave me not enough and he doesn't know which premissions he should give. What access permissions do we need exactly?
I have already these permissions :
AWSLambda_FullAccess AWSXRayDaemonWriteAccess AWSLambdaExecute AWSLambdaSQSQueueExecutionRole AWSLambdaKinesisExecutionRole AWSLambdaBasicExecutionRole AWSLambdaInvocation-DynamoDB AWSLambdaRole
This is the warn: "User: arn:aws:iam::325845585854:user/Murat is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::325845585854:role/service-role/example-role-m4gdfidg because no identity-based policy allows the iam:CreateRole action"
- Newest
- Most votes
- Most comments
When you create a function, by default Lambda will automatically create an IAM execution role for the function. To do that, your IAM user will require the iam:CreateRole permission, which it looks like it doesn't currently. To do this, they could create a new policy that includes that permission and attach it to your IAM user. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html
It's important to bear in mind when granting permissions to IAM that some of these could allow a user with restricted permissions to escalate their privileges - for example, by allowing them to add additional permissions to their IAM user, or by creating and assuming a more privileged role.
Alternatively, if an appropriate Lambda service role already exists in the account, or could be created by another user, you can expand the Change default execution role section and select it, instead of creating a new role.
Relevant content
- asked 7 months ago
- asked 2 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
