AWS CodeStar + Lambda + VPC
I kicked off a CodeStar project for a Node based serverless web service. Simple API Gateway with a Lambda behind it.
All good and simple, but configuring the Lambda to run in a VPC proved to be a very challenging task!
The error I got was: The provided execution role does not have permissions to call CreateNetworkInterface.
The internet is filled with suggestions (and many more).
But apparently I’m the first one who bumped into a new root cause…
So if you’re in the same situation then the keyword to the solution is Permission Boundaries!
Quoting the docs: A permissions boundary is an advanced feature in which you use a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity.
As it turns out, CodeStar provisions the Lambda’s execution role with a boundary that doesn’t take into account the additional permissions a VPC-based lambda requires.
Comparing the two basic Lambda IAM roles AWSLambdaBasicExecutionRole and AWSLambdaVPCAccessExecutionRole we can see the added permissions in the latter:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DeleteNetworkInterface
Adding those to the permission boundary policy fixed the issue. Simply append the following statement to the relevant policy:
{
"Sid": "lambdaInVpc",
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"*"
]
}
This expands the permission boundary, and enables the Lambda to access the additional permissions in AWSLambdaVPCAccessExecutionRole.
If you liked what you just read then how about recommending it by clicking on the below claps icon? This will increase the chances of more people reading it. Thanks!