The role defined for the function cannot be assumed by Lambda
Solution 1
I got the error "The role defined for the function cannot be assumed by Lambda" because i had not updated the roles "Trust Relationship" config file. I didn't encounter the timeout issues as in the linked answer in the comments.
The comments in the above answers pointed out that you need to add the following.
- Go to 'IAM > Roles > YourRoleName'
- (Note: if your role isn't listed, then you need to create it.)
- Select the 'Trust Relationships' tab
- Select 'Edit Trust Relationship'
Mine ended up like the below.
{
"Version": "2012-10-17",
"Statement": [
{
<your other rules>
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Solution 2
I'm also encountering this error. Have not got a definitive answer (yet) but figured I'd pass along a couple of hints that may help you and/or anyone else hitting this problem.
A) If you build the Role ARN by putting together your account ID and role name, I think the account ID needs to be without any dashes
B) If you just created the role, and possibly added policies to it, there seems to be a (small) window of time in which the role will trigger this error. Sleeping 5 or 6 seconds between the last operation on the role and the create-function call allowed me to bypass the issue (but of course, the timing may be variable so this is at best a work-around).
Solution 3
For me, the issue was that I had an incomplete name for the role. I set
--role arn:aws:iam::000000000000:role/MyRoleName
when it should have been
--role arn:aws:iam::000000000000:role/service-role/MyRoleName
(of course my aws id isn't actually 000000000000)
I discovered this by running
aws iam get-role --role-name MyRoleName
and looking at the "Arn" property in the result set.
Solution 4
I got this problem while testing lambda function.
What worked for me was formatting JSON.
Solution 5
Had the same issue although my IAM role did have the right policy and trust relationship. Lambda creation worked fine when done through CLI the problem was when using lambda module after just creating the IAM role.
I also tried to "pause" for few seconds but it didn't help.
Ended up adding retry and delay until registerdLambda.code was defined. Usually it works after 1-2 tries.
example:
- name: creating lambda function
lambda:
state: present
name: "{{ lambdaName }}"
zip_file: "{{ lambdaZipFile }}"
runtime: "{{ lambdaRuntime }}"
role: "{{ lambdaRole }}"
description: "{{ lambdaDescription }}"
handler: "{{ lambdaHandler }}"
register: lambdaFunc
retries: 3
delay: 10
until: "{{ lambdaFunc.code is defined }}"
Midhun Sudhakar
Updated on February 01, 2021Comments
-
Midhun Sudhakar over 3 years
I'm getting the error "The role defined for the function cannot be assumed by Lambda" when I'm trying to create a lambda function with create-function command.
aws lambda create-function
--region us-west-2
--function-name HelloPython
--zip-file fileb://hello_python.zip
--role arn:aws:iam::my-acc-account-id:role/default
--handler hello_python.my_handler
--runtime python2.7
--timeout 15
--memory-size 512 -
Zanon almost 8 years+1 "Sleeping 5 or 6 seconds" is the solution here. I've had the same issue using the JavaScript SDK and waiting fixed for me. I've posted a self-answered question with code example for Node. -
FOR almost 8 years@Zanon - thanks for the pointer to your Q/A. If I had time I'd try and pass this on to the official forums, as usually when resources need time to be ready, we get a status we can query (and even waiter objects if you're using boto3 ), so this seems like an odd (undocumented afaik) inconsistency
-
Zaar Hai over 7 yearsretryingpython package was a quick rescue - just decorated the creation function with the following:@retrying.retry(wait_exponential_multiplier=1000, wait_exponential_max=10000) -
apines almost 7 yearsThank you, that was I was missing.
-
ferr almost 6 years+1 for sleeping. I don't get what the deal is with this. I have to do this with aws sdk (nodejs), and sleeping for 10 seconds works. If I create a new inline policy on aws console it shows up instantly.. hmmhmm.
-
Greg Pasquariello over 5 yearsMy issue as well. Thanks!
-
Francis Upton IV over 4 yearsI'm having trouble with it taking about 5 minutes to work sometimes. Other times it works right away,
-
user1169420 over 4 yearsI was googling this because I was seeing it in terraform debug output although it would eventually work. Your B explanation explains why terraform keeps retrying and eventually it succeeds.
-
Mahan about 4 yearsWorks in my case without adding "/service-role/" as well.
-
Mamun about 4 yearsSame here . I just had to wait a bit -
Roman Kishchenko almost 4 yearsI also faced the problem while calling the function from the AWS console. I simply re-created the test event and it helped. -
Xin Cai over 3 yearsI have the same issue, even attached to this Role policy. I have configured lambda function basic settings, Go to Lambda Console, Edit Lambda Execution Role -> Edit basic Settings -> Existing Role -> Choose the role created for lambda -> re-attach role to lambda function -> save -> it works
-
rustyMagnet about 3 yearsthumbs-up for this tip:aws iam get-role --role-name my-lambda-demo-role -
Mike G about 3 yearsI have experienced this problem again today and although I experienced it around 18 months ago I'd forgotten that waiting seems to resolve the issue so thanks for the reminder. I have a step function that includes 8 lambdas and I can keep running executions over and over after a single deployment and each time I can get one lambda stage further without changing anything. It's annoying but just have to be patient.
-
sjwoodr over 2 yearsI had a similar error... all dependencies were correctly declared but the IAM role would be reported as non-existing or couldn't be assumed by lambda even though it shows up as created before the function started to create in the cloudformation event log. My hack to get around this was to declare yet another dependency on a resource that wasn't needed by the lambda function but would "waste time" creating it and that was long enough for the IAM role to get into a state where it would not be a problem to be used by the function. Its a hack and it seems like an AWS issue. BTW this was w/SAM.
-
Yor Jaggy over 2 yearsThanks! this saved me a lot of time! -
robsonrosa about 2 yearsFor everyone else with similar problem, check your "Principal.Service", in my case, I misconfigured it as "ec2.amazonws.com" and obviously it won't work for a lambda.
