AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

amazon-web-services aws-lambda amazon-iam policy role

84,328

Solution 1

This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, and ec2:DeleteNetworkInterface (see AWS Forum).

For example, this a policy that allows to deploy a Lambda into a VPC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

Solution 2

If you are using terraform, just add:

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
    role       = aws_iam_role.lambda.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

Solution 3

via Managed Policy

To grant Lambda necessary permissions to dig in to a VPC where a production RDS db resides in a private subnet.
As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know use of IAM Managed Policies is an AWS-recommended best-practice).
This is for Lambdas with a service role already attached.

AWS CLI

1. Get Lambda Service Role

Ask Lambda API for function configuration, query the role from that, output to text for an unquoted return.

aws lambda get-function-configuration \
    --function-name <<your function name or ARN here>> \
    --query Role \
    --output text

return, take your-service-role-name to #2
```
your-service-role-name
```

2. Attach Managed Policy `AWSLambdaVPCAccessExecutionRole` to Service Role

aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

CDK 2 TypeScript

const lambdaVPCExecutionRole:iam.Role = new iam.Role(this, `createLambdaVPCExecutionRole`, {
    roleName        : `lambdaVPCExecutionRole`,
    assumedBy       : new iam.ServicePrincipal(`lambda.amazonaws.com`),
    description     : `Lambda service role to operate within a VPC`,
    managedPolicies : [
        iam.ManagedPolicy.fromAwsManagedPolicyName(`service-role/AWSLambdaVPCAccessExecutionRole`),
    ],
});

const lambdaFunction:lambda.Function = new lambda.Function(this, `createLambdaFunction`, {
    runtime : lambda.Runtime.NODEJS_14_X,
    handler : `lambda.handler`,
    code    : lambda.AssetCode.fromAsset(`./src`),
    vpc     : vpc,
    role    : lambdaVPCExecutionRole,
});

Solution 4

This is actually such a common issue.

You can resolve this by adding a custom Inline Policy to the Lambda execution role under the Permissions tab.

Just add this:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

There's a full tutorial with pictures here if you need more information or are confused: https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/

Solution 5

It seems like this has been answered many different ways already but as of this posting, AWS has a managed policy. If you just search for the AWSLambdaVPCAccessExecutionRole you will be able to attached that, and this method worked for me.

Here is the arn:

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

View more solutions

84,328

Author by

fish

Debug the world.

Updated on February 17, 2022

Comments

fish over 2 years
Today I have a new AWS Lambda question, and can't find anywhere in Google.

I new a Lambda function, there is no question. But when I input any code in this function[eg. console.log();] and click "Save", error is occured: "The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2"
```
exports.handler = (event, context, callback) => {
    callback(null, 'Hello from Lambda');
    console.log();  // here is my code   
}; 
```
I bound the function with Role: lambda_excute_execution(Policy:AmazonElasticTranscoderFullAccess) And this function is not bound with any triggers now.

And then, I give the role "AdministratorAccess" Policy, I can save my source code correctly.

This role can run Functions successfully before today.

Is anyone know this error?

Thanks Very much!