AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

Question

Today I have a new AWS Lambda question, and can\'t find anywhere in Google.

I new a Lambda function, there is no question. But when I input any code in this function[eg.

Answer 1

It is definitely a strange error, but are you sure the example code you added is the one you're using in your lambda?

Because in your code, you are trying to log something in your lambda after returning control via the callback. In other words, first you told your lambda that you're done. Next, while it is busy shutting down and returning your results, you try to do some logging...

So first, I'd try this:

exports.handler = (event, context, callback) => {
    console.log('this is a test');
    // do stuff
    callback(null, 'Hello from Lambda'); // only do a callback *after* you've run all your code
};

And see if that fixes the problem.

Answer 2

This is actually such a common issue.

You can resolve this by adding a custom Inline Policy to the Lambda execution role under the Permissions tab.

Just add this:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

There's a full tutorial with pictures here if you need more information or are confused: https://ao.gl/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/

Answer 3

This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, and ec2:DeleteNetworkInterface (see AWS Forum).

For example, this a policy that allows to deploy a Lambda into a VPC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

Answer 4

via AWS CLI using a Managed Policy

• To grant my Lambda necessary permissions to dig in to a VPC where a production RDS db lives.
• As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know IAM Managed Policies are an AWS-recommended best-practice).
• This is for Lambda's with a service role already attached.

1. Get Lambda Service Role

• Piping aws lambda get-function-configuration output in to a grep for Role (probably a cleaner/leaner/meaner way to do this)

  aws lambda get-function-configuration \
      --function-name <<your function name or ARN here>> \
      | grep "Role"
  

• return

  "Role": "arn:aws:iam::000000000000:role/service-role/your-service-role-name",
  

• Take the value after the Role ARN's last slash your-service-role-name to #2

2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole to Service Role

aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

Answer 5

Here's a quick and dirty way of resolving the error.

Open IAM on AWS console, select the role that's attached to the Lambda function and give it the EC2FullAccess permission.

This will let you update the Lambda VPC by granting EC2 control access. Be sure to remove the permission from the role, the function still runs.

Is it more or less secure than leaving some permissions attached permanently? Debatable.

Answer 6

If you are using terraform, just add:

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
    role       = aws_iam_role.lambda.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}