5

I want to grant vpc access for my lambda function. I use the following aws cli command.

aws lambda update-function-configuration \
--function-name SampleFunction \
--vpc-config SubnetIds=subnet-xxxx,SecurityGroupIds=sg-xxxx

But I receive the following error:

An error occurred (AccessDeniedException) when calling the UpdateFunctionConfiguration operation: Your access has been denied by EC2, please make sure your request credentials have permission to DescribeSecurityGroups for sg-xxxx. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.

I have granted the following permission to both my lambda role and the user who execute the aws command.

    - "ec2:CreateNetworkInterface"
    - "ec2:DescribeNetworkInterfaces"
    - "ec2:DeleteNetworkInterface"
    - "ec2:DescribeSecurityGroups"

I further tried to grant full access to both the lambda role and the user. But still received the same error

Can anyone suggest what else I can try?

Chun-Kit Chung
  • 75
  • 1
  • 6

4 Answers4

7

The trick is to add the pipeline / worker role / user which is deploying the lambda function) have access to network related policies. The lambda function should itself suffice with managed policy - AWSLambdaVPCAccessExecutionRole

arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole

  • Action:
    • ec2:DescribeSecurityGroups
    • ec2:DescribeSubnets
    • ec2:DescribeVpcs Effect: Allow Resource: '*'
Vibhu Kuchhal
  • 71
  • 1
  • 3
2

Your users IAM policy needs further permissions.

For example ec2:CreateSecurityGroup & etc. Have a look at this documentation to add requred permissions.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • thanks @Ashan Did you mean adding permission for the user that runs this task? I added EC2 permissions to CloudFormation (I use CodeStar) but it didn't seem to work. – Jun Jun 28 '18 at 00:08
  • @Jun I meant the IAM permission for the user who runs the above mentioned CLI command. – Ashan Jun 28 '18 at 01:30
2

I experienced the same issue. Despite the IAM policy for the user having the required permissions, I could not use the aws cli to crate a lambda function with a VPC config (aws lambda create-function) or modify an existing function to add a VPC config (aws lambda update-function-configuration).

The only way I could get this to work was to create the lambda function without a VPC config. I then modified the function to add the VPC config information (vpc, subnet and security groups) via the AWS console (in Lambda > Fucntions > My Function > Network). I was only able to use the console to do this, introducing a manual step in an otherwise fully automated process.

To answer some of the questions above about which user needs the ec2:DescribeSecurityGroups and related permissions. It is the user running the cli command or logged in to the console. The function does not need a policy providing these permissions. The only special permissions needed for a function with a VPC config are:

  • ec2:CreateNetworkInterface
  • ec2:DescribeNetworkInterfaces
  • ec2:DeleteNetworkInterface

These allow the function to create ENIs within your VPC using the subnet and security group you provide as described here.

htaccess
  • 2,800
  • 26
  • 31
1

Both the Lambda funtion's role and the user role (either cloudformation or cmline user) must have:

          - ec2:CreateNetworkInterface
          - ec2:DescribeNetworkInterfaces
          - ec2:DeleteNetworkInterface
          - ec2:DescribeSecurityGroups
          - ec2:DescribeSubnets

or ec2:* if ok for your use case'security

I had the same issue deploying a lambda with a VPC config using SAM/cloudformation and resolved it by adding this above.

on github issue some people say it is because of cloudformation order creation it is not (or maybe not anymore because I tested adding 20 dummy resource and still the same issue only resolved by adding the permissions above)

cheers,