If you are trying to get an AWS Lambda added attached to a VPC, but get the error message:
The provided execution role does not have permissions to call CreateNetworkInterface on EC2
There are 3 ways to solve this problem
Below we will look at 3 different options when it comes to solving this problem:
- Fix the problem in Terraform
- Fix the problem in CloudFormation / SAM
- Fix the problem Manually in the AWS Console
How to fix the problem in Terraform
resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
role = aws_iam_role.lambda.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}
How to fix the problem in CloudFormation
Type: "AWS::IAM::Role"
Properties:
RoleName: "lambda-with-vpc-access"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Principal:
Service:
- lambda.amazonaws.com
How to fix this problem Manually in the AWS Console
Then you can resolve this by adding a custom Inline Policy to the Lambda execution role under the Permissions tab.
Step 1
Under the Lambda you want to adjust, click Permissions
and select the role under Execution role
.
Click the link to open the role in IAM.
Step 2
Then click Add inline policy
:
Step 3
Then click JSON
:
Step 4
Now Add the JSON below into the textarea and click Review policy
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
Step 5
Finally provide a policy name and click Create policy
:
In Summary
You will now be able to attach your Lambda to a VPC without the error.
By following the above, you will have resolved the the provided execution role does not have permissions to call createnetworkinterface on ec2
error from before.
Sometimes, the above error is directly seen on AWS Lambda itself, this will then be shown to you as lambda the provided execution role does not have permissions to call createnetworkinterface on ec2
.
The good news is that the same guide above will resolve all createnetworkinterface on ec2 permission
` issues.