By using AWS re:Post, you agree to the Terms of Use

Issue uploading C# function to AWS Lambda - not authorized to perform: iam:PassRole"


I am brand new to using Lambda except for a tiny bit of exploration a while back. I am trying to upload a HelloWorld app created from a template in Visual Studio. I can see the various services in the "AWS Explorer" window including three previous Lambda functions created in the past. For some reason I cannot upload this generic hello world function using Visual Studio.

The error message I am getting is:

Creating new Lambda function MedFlaminator Error creating Lambda function: User: arn:aws:iam::xxxxxxxxxxxxxxxx:user/LambdaDeveloper is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxxxxxxxx:role/service-role/helloWorld because no identity-based policy allows the iam:PassRole action

Frustrating as I am following this tutorial here that says nothing about this PassRole. I do find other pages but they are clear as mud.

Can someone please help me understand this issue and how to resolve?

1 Answer

This likely means that the account you are using to connect to AWS (LambdaDeveloper, it looks like) does not have permission to create Lambda functions. Go into the IAM section of the AWS console and see what permissions and policies are associated with the LambdaDeveloper user, and make sure that the proper policies have been attached.

For example:

  • Go to IAM > Users
  • Click on the LambdaDeveloper user
  • Click the blue "Add permissions" button
  • Choose "Attach existing policies directly"
  • Search for "AWSLambda_FullAccess" and click the checkbox next to it
  • Click the blue "Next: Review" button
  • Click the blue "Add permissions" button

Then try to upload your Lambda function as before.

Note that this is the down and dirty approach to verify that it's a permission problem. Instead of attaching permissions directly to a user as above, it would be better to create a User group (e.g. "developer"), attach the Lambda permissions to that group, and then associate the user with the group. Also, you may not want to grant "Full Access" to Lambda, but something more constrained to the purpose at hand. That can be quite a long topic, so best left for another time.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions