问题
I'm getting the error "The role defined for the function cannot be assumed by Lambda" when I'm trying to create a lambda function with create-function command.
aws lambda create-function
--region us-west-2
--function-name HelloPython
--zip-file fileb://hello_python.zip
--role arn:aws:iam::my-acc-account-id:role/default
--handler hello_python.my_handler
--runtime python2.7
--timeout 15
--memory-size 512
回答1:
I got the error "The role defined for the function cannot be assumed by Lambda" because i had not updated the roles "Trust Relationship" config file. I didn't encounter the timeout issues as in the linked answer in the comments.
The comments in the above answers pointed out that you need to add the following.
- Go to 'IAM > Roles > YourRoleName'
- (Note: if your role isn't listed, then you need to create it.)
- Select the 'Trust Relationships' tab
- Select 'Edit Trust Relationship'
Mine ended up like the below.
{
"Version": "2012-10-17",
"Statement": [
{
<your other rules>
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
回答2:
I'm also encountering this error. Have not got a definitive answer (yet) but figured I'd pass along a couple of hints that may help you and/or anyone else hitting this problem.
A) If you build the Role ARN by putting together your account ID and role name, I think the account ID needs to be without any dashes
B) If you just created the role, and possibly added policies to it, there seems to be a (small) window of time in which the role will trigger this error. Sleeping 5 or 6 seconds between the last operation on the role and the create-function call allowed me to bypass the issue (but of course, the timing may be variable so this is at best a work-around).
回答3:
For me, the issue was that I had an incomplete name for the role. I set
--role arn:aws:iam::000000000000:role/MyRoleName
when it should have been
--role arn:aws:iam::000000000000:role/service-role/MyRoleName
(of course my aws id isn't actually 000000000000)
I discovered this by running
aws iam get-role --role-name MyRoleName
and looking at the "Arn"
property in the result set.
回答4:
For me, the issue was that I had set the wrong default region environment key.
回答5:
Had the same issue although my IAM role did have the right policy and trust relationship. Lambda creation worked fine when done through CLI the problem was when using lambda module after just creating the IAM role.
I also tried to "pause" for few seconds but it didn't help.
Ended up adding retry and delay until registerdLambda.code was defined. Usually it works after 1-2 tries.
example:
- name: creating lambda function
lambda:
state: present
name: "{{ lambdaName }}"
zip_file: "{{ lambdaZipFile }}"
runtime: "{{ lambdaRuntime }}"
role: "{{ lambdaRole }}"
description: "{{ lambdaDescription }}"
handler: "{{ lambdaHandler }}"
register: lambdaFunc
retries: 3
delay: 10
until: "{{ lambdaFunc.code is defined }}"
回答6:
Most people end up in this error because of giving the wrong Role ARN in CloudFormation while creating the Lambda Function.
Make sure the role is completed first by using "DependsOn" and use the intrinsic function """{ "Fn::GetAtt" : [ "your-role-logical-name", "Arn" ] }"""
回答7:
I was running into this error with terraform and needed to add an assume role policy and apply it to the role that lambda assumes.
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = [
"lambda.amazonaws.com"
]
}
}
resource "aws_iam_role" "lambda_rotation_role" {
name = "lambda-rotation-role"
assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role_policy.json}"
}
回答8:
I am just learning to use the AWS CLI and ran into this issue.
I am using a series of PowerShell scripts to deploy an entire AWS architecture. My createRole.ps1 script contains:
aws iam create-role `
--role-name $roleName `
--assume-role-policy-document file://myRoleTrustPolicy.json
The file myRoleTrustPolicy.json contains:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
It is the "lambda.amazonaws.com" line that was missing from Service list that was causing the issue.
Once I fixed that, the invocation of aws lambda create-function worked great.
aws lambda create-function `
--function-name $fn `
--runtime java8 `
--role $currentRoleARN `
--handler "handleRequest" `
--memory-size 128 `
--zip-file $jarFile
来源:https://stackoverflow.com/questions/36419442/the-role-defined-for-the-function-cannot-be-assumed-by-lambda