AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2

Today I have a new AWS Lambda question, and can't find anywhere in Google.

I new a Lambda function, there is no question. But when I input any code in this function[eg. console.log();] and click "Save", error is occured: "The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2"

exports.handler = (event, context, callback) => {
    callback(null, 'Hello from Lambda');
    console.log();  // here is my code   
}; 

I bound the function with Role: lambda_excute_execution(Policy:AmazonElasticTranscoderFullAccess) And this function is not bound with any triggers now.

And then, I give the role "AdministratorAccess" Policy, I can save my source code correctly.

This role can run Functions successfully before today.

Is anyone know this error?

Thanks Very much!


This error is common if you try to deploy a Lambda in a VPC without giving it the required network interface related permissions ec2:DescribeNetworkInterfaces, ec2:CreateNetworkInterface, and ec2:DeleteNetworkInterface (see AWS Forum).

For example, this a policy that allows to deploy a Lambda into a VPC:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

If you are using terraform, just add:

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
    role       = aws_iam_role.lambda.name
    policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

via Managed Policy

  • To grant Lambda necessary permissions to dig in to a VPC where a production RDS db resides in a private subnet.
  • As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know use of IAM Managed Policies is an AWS-recommended best-practice).
  • This is for Lambdas with a service role already attached.

AWS CLI

1. Get Lambda Service Role

  • Ask Lambda API for function configuration, query the role from that, output to text for an unquoted return.
    aws lambda get-function-configuration \
        --function-name <<your function name or ARN here>> \
        --query Role \
        --output text
    
  • return, take your-service-role-name to #2
    your-service-role-name
    

2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole to Service Role

aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

CDK 2 TypeScript

const lambdaVPCExecutionRole:iam.Role = new iam.Role(this, `createLambdaVPCExecutionRole`, {
    roleName        : `lambdaVPCExecutionRole`,
    assumedBy       : new iam.ServicePrincipal(`lambda.amazonaws.com`),
    description     : `Lambda service role to operate within a VPC`,
    managedPolicies : [
        iam.ManagedPolicy.fromAwsManagedPolicyName(`service-role/AWSLambdaVPCAccessExecutionRole`),
    ],
});

const lambdaFunction:lambda.Function = new lambda.Function(this, `createLambdaFunction`, {
    runtime : lambda.Runtime.NODEJS_14_X,
    handler : `lambda.handler`,
    code    : lambda.AssetCode.fromAsset(`./src`),
    vpc     : vpc,
    role    : lambdaVPCExecutionRole,
});