How to setup IAM policy for AWS Lambda in VPC to resolve error "You are not authorized to perform: CreateNetworkInterface."

Asked 12/2, 2016 at 17:6 Answered 9/1 at 13:59

Solved amazon-web-services aws-lambda amazon-iam aws-vpc

I am trying to setup my Lambda to access my Mongo server on one of the EC2 instances in VPC. After selecting all the subnets and security groups, I get the following error when saving "You are not authorized to perform: CreateNetworkInterface."

I believe, I need some sort of policy setup in AWS IAM to allow this.

I have "AdministratorAccess" and I am trying to add IAM role to my account.

Does anyone know what policy/role I need for this?

Erine answered 12/2, 2016 at 17:6 Comment(2)

Are you trying to launch an instance? Error message is not related to what you are trying to do. – Forbore 12/2, 2016 at 17:10

Nope, just trying to setup my lambda to access my VPC resources – Erine 12/2, 2016 at 17:25

Gotcha!!! If the error message said "This Lambda function is not authorized to perform: CreateNetworkInterface" then it would have made more sense that the Lambda role needs to be modified with appropriate policy. Fixed the problem by adding the policy to the role that the Lambda was using:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:CreateNetworkInterface",
                "ec2:AttachNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "autoscaling:CompleteLifecycleAction",
                "ec2:DeleteNetworkInterface"
            ]
        }
        ]
}

Erine answered 12/2, 2016 at 17:48 Comment(1)

When I was creating the Lambda I got error for missing "ec2:DeleteNetworkInterface". I've added it and it all worked. – Mastery 27/9, 2021 at 13:6

It is necessary to provide the lambda with the policy actions:

NetworkLambdaRole:
 Type: "AWS::IAM::Role"
 Properties:
   RoleName: "Network-Lambda-Role"
   AssumeRolePolicyDocument:
     Version: '2012-10-17'
     Statement:
     -
       Effect: "Allow"
       Principal:
         Service:
         - "lambda.amazonaws.com"
       Action:
       - "sts:AssumeRole"
   Policies:
   - PolicyName: "network-lambda-role-policy"
     PolicyDocument:
       Version: '2012-10-17'
       Statement:
       - Effect: "Allow"
         Action: [
           "ec2:DescribeInstances",
           "ec2:CreateNetworkInterface",
           "ec2:AttachNetworkInterface",
           "ec2:DescribeNetworkInterfaces",
           "ec2:DeleteNetworkInterface"
         ]
         Resource: "*"

Note: the answer from blueskin was missing the policy ec2:DeleteNetworkInterfaces

Batholith answered 16/1, 2018 at 12:4 Comment(0)

There is an AWS Managed policy that includes the required permissions to allow the Lambda function to manage it's ENI interfaces.

Add this policy to the execution role of the Lambda function: arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess

The permissions contained, as of 01/09/2024, are as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignPrivateIpAddresses"
            ],
            "Resource": "*"
        }
    ]
}

Nonsuit answered 9/1 at 13:59 Comment(0)

Recommended topics

Hot tags