AccessDeniedException while using Lambda by AWS CLI

Question

I am following the tutorial of implementing lambda and S3 together at http://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-upload-deployment-pkg.html

I have added a role(IAM > Roles > lambda-s3-execution-role), and it has the policy AWSLambdaExecute:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Furthermore, I have set the IAM user as adminuser, and can run the command like aws lambda list-functions --profile adminuser, but when I run following command

aws lambda create-function \
--region us-east-2 \
--function-name CreateThumbnail \
--zip-file fileb://~/Deployment/build/distributions/lambdaDeployment.zip \
--role arn:aws:iam::12345678:role/lambda-s3-execution-role \
--handler CreateThumbnail.handler \
--runtime java8 \
--profile adminuser \
--timeout 10 \
--memory-size 1024

I got an error:

An error occurred (AccessDeniedException) when calling the CreateFunction operation: An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:iam::12345678:user/testaccountyn is not authorized to perform: iam:PassRole on resource: arn:aws:iam::12345678:role/lambda-s3-execution-role

Could you show me a path forward? Thanks!

Answer 1

Solved this problem for me: Replace your --role argument with the ARM:AWS:IAM that you created earlier in the tutorial.

I had the same problem. If you look at the CLI arguments from the tutorial, the IAM ID seems to be filled in arbitrarily; it's literally the number 12345678. From your bottom code snippet: --role arn:aws:iam::12345678:role/lambda-s3-execution-role \).

To solve this I had to paste the ID of the Role I created earlier in the tutorial in the Create An Execution Role step. Opening the IAM service in AWS, click 'Roles, select the 'Permissions' tab, and copy your Role ARN:

Replace the arn:aws:iam:12345678.. line in the aws lambda create-function command with your credentials. The final command should look something like:

$ aws lambda create-function --function-name CreateThumbnail \
--zip-file fileb://function.zip --handler index.handler --runtime nodejs8.10 \
--timeout 10 --memory-size 1024 \
--role REPLACE:THIS:WITH:YOUR:ROLE:ARN

That should do it! Hope it saves others some time!!

Additionally, if you're getting a aws: command not found error when running the command above, you'll need to install the AWS Command Line Tools by following these steps: Installing the AWS CLI

If you're getting an You must specify a region. You can also configure your region by running "aws configure". error, you'll need to configure your terminal profile by following these steps: Configuring the AWS CLI.