- Newest
- Most votes
- Most comments
Hi Willysup,
Are you 100% sure of the AWS API call for which the Lambda has insufficient privileges? Maybe it's a different one than the one you believe is granted by the policy that you mention.
So, I'd suggest to go to CloudTrail to trace the type of the failing call made by this Lambda. Then, you'll be able to fix the credentials.
Best.
Didier
Hi Willysup,
Did you ever figure this out? I've previously been able to deploy Lambda functions to VPC's when only the AWSLambdaVPCAccessExecutionRole policy was assigned role to the execution role, but I'm no longer able to and I'm seeing the exact same behaviour as you describe above with the ec2:CreateNetworkInterface action.
"errorCode": "Client.DryRunOperation", "errorMessage": "Request would have succeeded, but DryRun flag is set.",
I have tried to do this using both the console and Terraform, and it fails both times.
In addition to the permissions allowed in the AWSLambdaVPCAccessExecutionRole policy, my role is allowed to use the other actions as described in Giving Lambda functions access to resources in an Amazon VPC. However, I don't think that is the issue given the error is against the ec2:CreateNetworkInterface action and the user of that action is the Lambda function, not my/my assumed role.
Do you have a condition on your execution role? The lambda service uses the lambda execution role to create the network interface so if you add a condition on the AssumeRolePolicyDocument it could block the use of the role by the lambda service, that's the error I had when using a condition like this one : Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole Condition: ArnLike: "MyLambdaArn"
For those who have encountered the same issue:
The lambda service uses the lambda execution role to create the network interface so if you add a condition on the AssumeRolePolicyDocument it could block the use of the role by the lambda service, that's the error I had when using a condition like this one :
Effect: Allow Principal: Service: - lambda.amazonaws.com Action: sts:AssumeRole Condition: ArnLike: "MyLambdaArn"
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 years ago
just note that the policy I mentionned is the one defined in the lambda documentation and I use it for years. I have checked cloudtrail logs and there is just one error I don't understand. the error is: errorCode = Client.DryRunOperation errorMessage = Request would have succeeded, but DryRun flag is set. eventName = CreateNetworkInterface
I don't understand this error, as the cloudformation deploy command has no dryrun option activated (and there are several other resources in the cloudformation template without this dryrun issue). It seems that the lambda service call the CreateNetworkInterface API using a dryrun flag, but why ?
This is a great reminder—CloudTrail really is clutch for digging into those unexpected permission issues. Sometimes the actual failing call isn’t what you think it is. Thanks for pointing that out, Didier.