pulumi-aws-native icon indicating copy to clipboard operation
pulumi-aws-native copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Lambda Principal role cannot be attached to lambda

Open pierskarsenbarg opened this issue 4 years ago • 2 comments

Creating a "native" lambda with a "classic" IAM role is failing with the following error:

operation CREATE failed with "InvalidRequest": The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: 73c1fbab-3e41-471c-b4ce-fa57a4ab8c5c, Extended Request ID: null)

Steps to reproduce

import * as aws from "@pulumi/aws";
import * as awsnative from "@pulumipreview/aws-native";

const lambdaRole = new aws.iam.Role("classicLambdaRole", {
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ Service: "lambda.amazonaws.com" })
});

const lambdaRoleAttachment = new aws.iam.RolePolicyAttachment("lambdaRoleAttachment", {
    role: lambdaRole,
    policyArn: aws.iam.ManagedPolicy.AWSLambdaBasicExecutionRole,
});

const nativeLambdaFunction = new awsnative.lambda.Function("nativelambdaFunction", {
    code: {
        zipFile: "./app.zip",
    },
    runtime: "nodejs12.x",
    role: lambdaRole.arn,
    handler: "index.handler",
});

Expected: Lambda would be deployed

Actual: Getting error message as above

pierskarsenbarg avatar Sep 27 '21 11:09 pierskarsenbarg

I tested this and noticed that it works if I run the update twice. I get the same error on the first update, so I'm guessing the RolePolicyAttachment isn't completing before the lambda function creation step.

I tried setting dependsOn, but am still seeing the same error.

lblackstone avatar Sep 28 '21 20:09 lblackstone

I'm seeing the same. It looks like an intermittent failure because pulumi destroy -y && pulumi up -y works.

jkodroff avatar Nov 03 '22 21:11 jkodroff