AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, and ec2:DeleteNetworkInterface (see AWS Forum).

For example, this a policy that allows to deploy a Lambda into a VPC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

If you are using terraform, just add:

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
    role       = aws_iam_role.lambda.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

via AWS CLI using a Managed Policy

  • To grant my Lambda necessary permissions to dig in to a VPC where a production RDS db lives.
  • As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know IAM Managed Policies are an AWS-recommended best-practice).
  • This is for Lambda's with a service role already attached.

1. Get Lambda Service Role

  • Piping aws lambda get-function-configuration output in to a grep for Role (probably a cleaner/leaner/meaner way to do this)

    aws lambda get-function-configuration \
        --function-name <<your function name or ARN here>> \
        | grep "Role"
    
  • return

    "Role": "arn:aws:iam::000000000000:role/service-role/your-service-role-name",
    
  • Take the value after the Role ARN's last slash your-service-role-name to #2

2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole to Service Role

aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole