The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Monday, May 15, 2017

The provided execution role does not have permissions to call CreateNetworkInterface on EC2

If you get this error when attempting to create an AWS Lamba function:

The provided execution role does not have permissions to call CreateNetworkInterface on EC2

You need to grant Lambda some additional permissions:

ec2:CreateNetworkInterface
ec2:DescribeNetworkInterfaces
ec2:DeleteNetworkInterface

There is an existing managed policy provided by AWS which has all the permissions required by a lambda function named AWSLambdaVPCAccessExecutionRole.

You can attach a managed policy to a role using CloudFormation by using the ManagedPolicyArns Property of an IAM role.

Type: "AWS::IAM::Role"
Properties: 
  AssumeRolePolicyDocument:
    JSON object
  ManagedPolicyArns:
    - String
  Path: String
  Policies:
    - Policies
  RoleName: String

For example:

FireboxRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "FireboxLambdaRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"

For more information see:

http://docs.aws.amazon.com/lambda/latest/dg/vpc.html

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

https://github.com/tradichel/FireboxCloudAutomation/blob/master/code/resources/firebox-cli/clirole.yaml

@TeriRadichel | Cloud. Security. Software.

Teri Radichel - Software Programmer and System Architect - Cloud + Security

Monday, May 15, 2017

The provided execution role does not have permissions to call CreateNetworkInterface on EC2