By using AWS re:Post, you agree to the Terms of Use

'create function' lambda permission issue


Hi, I'm just a developer at work. The company I did my internship is currently developing a startApp project. As a developer I want to create lambda functions. But for this, the access premissions it gave me not enough and he doesn't know which premissions he should give. What access permissions do we need exactly?

I have already these permissions :

AWSLambda_FullAccess AWSXRayDaemonWriteAccess AWSLambdaExecute AWSLambdaSQSQueueExecutionRole AWSLambdaKinesisExecutionRole AWSLambdaBasicExecutionRole AWSLambdaInvocation-DynamoDB AWSLambdaRole

This is the warn: "User: arn:aws:iam::325845585854:user/Murat is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::325845585854:role/service-role/example-role-m4gdfidg because no identity-based policy allows the iam:CreateRole action"

Enter image description here

1 Answers

When you create a function, by default Lambda will automatically create an IAM execution role for the function. To do that, your IAM user will require the iam:CreateRole permission, which it looks like it doesn't currently. To do this, they could create a new policy that includes that permission and attach it to your IAM user.

It's important to bear in mind when granting permissions to IAM that some of these could allow a user with restricted permissions to escalate their privileges - for example, by allowing them to add additional permissions to their IAM user, or by creating and assuming a more privileged role.

Alternatively, if an appropriate Lambda service role already exists in the account, or could be created by another user, you can expand the Change default execution role section and select it, instead of creating a new role.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions