AccessDeniedException while using Lambda by AWS CLI

3
votes

I am following the tutorial of implementing lambda and S3 together at http://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-upload-deployment-pkg.html

I have added a role(IAM > Roles > lambda-s3-execution-role), and it has the policy AWSLambdaExecute:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Furthermore, I have set the IAM user as adminuser, and can run the command like aws lambda list-functions --profile adminuser, but when I run following command 

aws lambda create-function \
--region us-east-2 \
--function-name CreateThumbnail \
--zip-file fileb://~/Deployment/build/distributions/lambdaDeployment.zip \
--role arn:aws:iam::12345678:role/lambda-s3-execution-role \
--handler CreateThumbnail.handler \
--runtime java8 \
--profile adminuser \
--timeout 10 \
--memory-size 1024

I got an error:

An error occurred (AccessDeniedException) when calling the CreateFunction operation: An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:iam::12345678:user/testaccountyn is not authorized to perform: iam:PassRole on resource: arn:aws:iam::12345678:role/lambda-s3-execution-role

Could you show me a path forward? Thanks!

1
amazon-web-servicesamazon-s3lambda
Given that error message I would think that your user testaccountyn is missing the iam:PassRole permission...Mark B
Hi @MarkB Thanks for answering, I am quites confused, how could I add iam:PassRole to the user, I have also added AWSLambdaExecute policy in this user's permission btw.user8142520
Your user has a policy assigned to it, right? So edit that policy to add iam:PassRole.Mark B
Thanks for information. it still does not wrok, though I have added an inline policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1497045163000", "Effect": "Allow", "Action": [ "iam:PassRole", "iam:ListInstanceProfiles" ], "Resource": [ "*" ] } ] }user8142520
Did you check the trust relationship of the role?Ashan

1 Answers

3
votes

Solved this problem for me: Replace your --role argument with the ARM:AWS:IAM that you created earlier in the tutorial.

I had the same problem. If you look at the CLI arguments from the tutorial, the IAM ID seems to be filled in arbitrarily; it's literally the number 12345678. From your bottom code snippet: --role arn:aws:iam::12345678:role/lambda-s3-execution-role \).

To solve this I had to paste the ID of the Role I created earlier in the tutorial in the Create An Execution Role step. Opening the IAM service in AWS, click 'Roles, select the 'Permissions' tab, and copy your Role ARN:

Image showing where the Role ARN is located in AWS

Replace the arn:aws:iam:12345678.. line in the aws lambda create-function command with your credentials. The final command should look something like: 

$ aws lambda create-function --function-name CreateThumbnail \
--zip-file fileb://function.zip --handler index.handler --runtime nodejs8.10 \
--timeout 10 --memory-size 1024 \
--role REPLACE:THIS:WITH:YOUR:ROLE:ARN

That should do it! Hope it saves others some time!!

Additionally, if you're getting a aws: command not found error when running the command above, you'll need to install the AWS Command Line Tools by following these steps: Installing the AWS CLI

If you're getting an You must specify a region. You can also configure your region by running "aws configure". error, you'll need to configure your terminal profile by following these steps: Configuring the AWS CLI.