AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces
, ec2:CreateNetworkInterface
, and ec2:DeleteNetworkInterface
(see AWS Forum).
For example, this a policy that allows to deploy a Lambda into a VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
If you are using terraform, just add:
resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
via AWS CLI using a Managed Policy
- To grant my Lambda necessary permissions to dig in to a VPC where a production RDS db lives.
- As mentioned by @portatlas above, the
AWSLambdaVPCAccessExecutionRole
managed policy fits like a glove (and we all know IAM Managed Policies are an AWS-recommended best-practice). - This is for Lambda's with a service role already attached.
1. Get Lambda Service Role
Piping
aws lambda get-function-configuration
output in to a grep for Role (probably a cleaner/leaner/meaner way to do this)aws lambda get-function-configuration \ --function-name <<your function name or ARN here>> \ | grep "Role"
return
"Role": "arn:aws:iam::000000000000:role/service-role/your-service-role-name",
Take the value after the Role ARN's last slash
your-service-role-name
to #2
2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole
to Service Role
aws iam attach-role-policy \
--role-name your-service-role-name \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole