aws-lambda-image icon indicating copy to clipboard operation
aws-lambda-image copied to clipboard

Published 20 hours ago verified publisher icon ysugimoto

AccessDenied: User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxx:role/aws-lambda-image-executor

Open itinance opened this issue 7 years ago • 13 comments

Can someone explain to me why our AWS-user having Full S3 Access isn't able to create a IAM Role?

I get this error while deploying very soon:

$ npm run deploy

[email protected] deploy /data/workspace/aws-lambda-image claudia create --profile $npm_package_config_profile --region $npm_package_config_region --version dev --handler index.handler --no-optional-dependencies --timeout $npm_package_config_timeout --memory $npm_package_config_memory --policies policies/*.json

initialising IAM role iam.createRole RoleName=aws-lambda-image-executor { AccessDenied: User: arn:aws:iam::xxxxx:user/yyyyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxx:role/aws-lambda-image-executor

Any help would be greatly appreciated!

itinance avatar Dec 17 '17 19:12 itinance

Adding the following policy to the user put me one step ahead.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Now another issue occurs:

{ AccessDenied: User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: iam:PutRolePolicy on resource: role aws-lambda-image-executor

Seems that there is no real "admin" user having access to everything.

itinance avatar Dec 17 '17 20:12 itinance

Modifiying the policy from latest comment and adding the action: "iam:PutRolePolicy" fixed this issue. Now it fails with "role already exits" so i had to remove the already created role manually.

Next issue that appears then is "user is not authorized to perform: lambda:CreateFunction on resource" going on with "is not authorized to perform: iam:PassRole on resource:".

There is a big zoo of missing permissions. Can someone publish a policy with all actions that are required for being whitelistet?

itinance avatar Dec 17 '17 20:12 itinance

This is my policy but it still fails on missing permissions for "iam:PassRole":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

itinance avatar Dec 17 '17 20:12 itinance

At the end some more Policy-Entries was required:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
"lambda:AddPermission"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

But now i stuck with

"claudia.json already exists in the source folder".

(which exists then in the root folder and needs to removed)

All my attempts tell me that the script isnt able to get executed repeated like only to create a role if it is not exiting and only create a function after deleting an existing one and so on. Am i right with this or did i something wrong?

itinance avatar Dec 17 '17 20:12 itinance

Finally give up now with this one, which can't be solved even with adding the specific actions to the users policy:

user is not authorized to perform: lambda:AddPermission on resource user is not authorized to perform: lambda:UpdateFunctionCode

What are the other people doing with this repo? Any ideas?

UPDATE: finally figured out that AWS sometimes needs up to 10 minutes to apply policies

itinance avatar Dec 17 '17 21:12 itinance

This is the final policy that is required to deploy the lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

itinance avatar Dec 17 '17 21:12 itinance

@itinance It seems a running user permission issue. What is user running a command? and Does that user have a permission to execute add iam and lambda roles?

ysugimoto avatar Feb 05 '18 08:02 ysugimoto

^ looks like iam:DetachRolePolicy is needed for CloudFormation rollback also?

omnilinguist avatar Sep 22 '19 07:09 omnilinguist

A huge thanks for this post. Using VS2019 ASP.Net Core and AWS. Notes for a newbie: in IWS console, choose IWS, create a new policy against the user, click the JSON tab and pop this code in and the error goes away. Just for completion here is the code I used:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1482712489000", "Effect": "Allow", "Action": [ "iam:GetInstanceProfile", "iam:CreateRole", "iam:PutRolePolicy", "lambda:CreateFunction", "lambda:InvokeAsync", "lambda:InvokeFunction", "iam:PassRole", "lambda:UpdateAlias", "lambda:CreateAlias", "lambda:GetFunctionConfiguration", "lambda:AddPermission" ], "Resource": [ "*" ] } ] }

stewa11 avatar Oct 08 '19 08:10 stewa11

iam:AttachRolePolicy is also needed

jilna avatar Apr 30 '20 15:04 jilna

in aws you must -> create new politic and pest the above 💥🤷‍♀️✔

Atenadru avatar Jun 21 '21 22:06 Atenadru

Like other have said (@stewa11 and @itinance , this is the configuration to put as Permission to the user Note: wait some time for the changes to take effect!

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

francescotaioli avatar Sep 01 '21 14:09 francescotaioli

In my case, it was solved by allowing IAM user iam:createRole and iam:createPolicy action.

crowncoder0797 avatar Feb 17 '23 13:02 crowncoder0797