AWS Lambda and IAM error on deploy: The role defined for the function cannot be assumed by Lambda

Question

In my AWS project, I use the serverless framework to deploy lambda function and IAM roles.

So I created 6 lambda functions, all using the same IAM Role below:

functions:

  auto-delete-identity:
    handler: src/auto-delete-identity.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-delete-identity

  auto-move-to-user-group:
    handler: src/auto-move-to-user-group.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-move-to-user-group

  auto-validate-user-creation:
    handler: src/auto-validate-user-creation.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-validate-user-creation

  auto-validation-user-email-modification:
    handler: src/auto-validation-user-email-modification.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-validation-user-email-modification

  hello-demo:
    handler: src/hello-demo.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: hello-demo

  reset-user-password:
    handler: src/reset-user-password.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: reset-user-password

resources:

  Resources:

    lambdaIAMRole:
      Type: "AWS::IAM::Role"
      Properties:
        RoleName: lambdaIAMRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - "sts:AssumeRole"
              Effect: "Allow"
              Principal:
                Service:
                  - "lambda.amazonaws.com"
        Policies:
          - PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "logs:CreateLogGroup"
                    - "logs:CreateLogStream"
                    - "logs:PutLogEvents"
                  Effect: "Allow"
                  Resource:
                    - !Sub "arn:aws:logs:eu-central-1:123456789012:log-group:/aws/lambda/*:*"
        PolicyName: "myLambdaPolicy"

When I deploy using the serverless deploy command, I sometimes got the following error:

An error occurred: HelloDashdemoLambdaFunction - The role defined for the function cannot be assumed by Lambda. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4099072a-809d-4f1c-b83e-7f4f5dd5170b).

It looks like a random bug, since it doesn’t occurs everytime. Also, when it occurs, it doesn’t always occurs on the same function.

Did I do something wrong? How can I fix that?

Thanks for your help.

Answer 1

I think that the problem is that in your Lambda function declarations, you're referring to the IAM role as role: arn:aws:iam::123456789012:role/lambdaIAMRole. This is an absolute ARN and is how you would indicate an IAM role (or other resource) that was created and managed outside of your serverless.yml template.

In your case, the quickest fix is to simply replace role: arn:aws:iam::123456789012:role/lambdaIAMRole with role: lambdaIAMRole. The latter refers to an AWS resource declared inside the template.

An even better fix, assuming that all of your Lambda functions will have the same role, is to remove your lambdaIAMRole declaration entirely and then remove all role: arn:aws:iam::123456789012:role/lambdaIAMRole properties from the Lambda functions. The role declaration adds nothing over the default IAM role that the Serverless Framework will implicitly generate for you and assign to the Lambda functions. This is one of the things that makes the framework valuable - it provides good defaults to save you the time and effort. Examples here.