AWS Lambda and IAM error on deploy: The role defined for the function cannot be assumed by Lambda

Serverless Framework
, ,
1

In my AWS project, I use the serverless framework to deploy lambda function and IAM roles.

So I created 6 lambda functions, all using the same IAM Role below:

functions:

  auto-delete-identity:
    handler: src/auto-delete-identity.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-delete-identity

  auto-move-to-user-group:
    handler: src/auto-move-to-user-group.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-move-to-user-group
    
  auto-validate-user-creation:
    handler: src/auto-validate-user-creation.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-validate-user-creation
    
  auto-validation-user-email-modification:
    handler: src/auto-validation-user-email-modification.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: auto-validation-user-email-modification
    
  hello-demo:
    handler: src/hello-demo.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: hello-demo

  reset-user-password:
    handler: src/reset-user-password.handler
    role: arn:aws:iam::123456789012:role/lambdaIAMRole
    name: reset-user-password
  
resources:

  Resources:

    lambdaIAMRole:
      Type: "AWS::IAM::Role"
      Properties:
        RoleName: lambdaIAMRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Action:
                - "sts:AssumeRole"
              Effect: "Allow"
              Principal:
                Service:
                  - "lambda.amazonaws.com"
        Policies:
          - PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Action:
                    - "logs:CreateLogGroup"
                    - "logs:CreateLogStream"
                    - "logs:PutLogEvents"
                  Effect: "Allow"
                  Resource:
                    - !Sub "arn:aws:logs:eu-central-1:123456789012:log-group:/aws/lambda/*:*"
        PolicyName: "myLambdaPolicy"

When I deploy using the serverless deploy command, I sometimes got the following error:

An error occurred: HelloDashdemoLambdaFunction - The role defined for the function cannot be assumed by Lambda. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4099072a-809d-4f1c-b83e-7f4f5dd5170b).

It looks like a random bug, since it doesn’t occurs everytime. Also, when it occurs, it doesn’t always occurs on the same function.

Did I do something wrong? How can I fix that?

Thanks for your help.

2

I fixed this by replacing

arn:aws:iam::123456789012:role/lambdaIAMRole

with

lambdaIAMRole
3

I met this problem as well.
What i found is some race condition between IAM role and lambda.

service: xxx
custom:

  ...
  iamRole: xxx
  roleName: xxx
provider:
  name: aws
  runtime: nodejs12.x
  stage: xxx
  region: xxx
  role: ${self:custom.iamRole}
functions:
  processor:
    name: ${self:custom.lambda.name}
    handler: handler
    memorySize: 128
    timeout: 90
    events:
    - sqs:
        arn: ${self:custom.sqs}
        batchSize: 1
resources:
  Resources:
    lambdaRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: sqsAccess
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action: ["sqs:DeleteMessage","sqs:ChangeMessageVisibility","sqs:ReceiveMessage","sqs:GetQueueAttributes","sqs:SendMessage"]
                  Resource:
                  ....
        ManagedPolicyArns:
          - ${self:custom.slsLogPolicy}
        RoleName: ${self:custom.roleName}

It seems IAM role takes longer to be created and lambda is set to use the role that is not fully ready.
I changed the provider.role to be lambdaRole. It seems to fix the dependency or race condition issue.

provider:
  name: aws
  runtime: nodejs12.x
  stage: xxx
  region: xxx
  role: lambdaRole