4

I am following the tutorial of implementing lambda and S3 together at http://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-upload-deployment-pkg.html

I have added a role(IAM > Roles > lambda-s3-execution-role), and it has the policy AWSLambdaExecute:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Furthermore, I have set the IAM user as adminuser, and can run the command like aws lambda list-functions --profile adminuser, but when I run following command 

aws lambda create-function \
--region us-east-2 \
--function-name CreateThumbnail \
--zip-file fileb://~/Deployment/build/distributions/lambdaDeployment.zip \
--role arn:aws:iam::12345678:role/lambda-s3-execution-role \
--handler CreateThumbnail.handler \
--runtime java8 \
--profile adminuser \
--timeout 10 \
--memory-size 1024

I got an error:

An error occurred (AccessDeniedException) when calling the CreateFunction operation: An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:iam::12345678:user/testaccountyn is not authorized to perform: iam:PassRole on resource: arn:aws:iam::12345678:role/lambda-s3-execution-role

Could you show me a path forward? Thanks!

Improve this question
6
  • Given that error message I would think that your user testaccountyn is missing the iam:PassRole permission... Commented Jun 10, 2017 at 20:20
  • Hi @MarkB Thanks for answering, I am quites confused, how could I add iam:PassRole to the user, I have also added AWSLambdaExecute policy in this user's permission btw. Commented Jun 10, 2017 at 20:26
  • Your user has a policy assigned to it, right? So edit that policy to add iam:PassRole. Commented Jun 10, 2017 at 20:36
  • Thanks for information. it still does not wrok, though I have added an inline policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1497045163000", "Effect": "Allow", "Action": [ "iam:PassRole", "iam:ListInstanceProfiles" ], "Resource": [ "*" ] } ] } Commented Jun 10, 2017 at 20:58
  • Did you check the trust relationship of the role? Commented Jun 11, 2017 at 3:07

1 Answer 1

Reset to default
5

Solved this problem for me: Replace your --role argument with the ARM:AWS:IAM that you created earlier in the tutorial.

I had the same problem. If you look at the CLI arguments from the tutorial, the IAM ID seems to be filled in arbitrarily; it's literally the number 12345678. From your bottom code snippet: --role arn:aws:iam::12345678:role/lambda-s3-execution-role \).

To solve this I had to paste the ID of the Role I created earlier in the tutorial in the Create An Execution Role step. Opening the IAM service in AWS, click 'Roles, select the 'Permissions' tab, and copy your Role ARN:

Image showing where the Role ARN is located in AWS

Replace the arn:aws:iam:12345678.. line in the aws lambda create-function command with your credentials. The final command should look something like: 

$ aws lambda create-function --function-name CreateThumbnail \
--zip-file fileb://function.zip --handler index.handler --runtime nodejs8.10 \
--timeout 10 --memory-size 1024 \
--role REPLACE:THIS:WITH:YOUR:ROLE:ARN

That should do it! Hope it saves others some time!!

Additionally, if you're getting a aws: command not found error when running the command above, you'll need to install the AWS Command Line Tools by following these steps: Installing the AWS CLI

If you're getting an You must specify a region. You can also configure your region by running "aws configure". error, you'll need to configure your terminal profile by following these steps: Configuring the AWS CLI.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

@AllanAlmeida it's disappointing. I can only assume that the tutorial worked at some point and then they switched up the CLI API. Hopefully this is updated in the future.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.