Hi Guys,
I have multiple serverless projects up and running, but today I wanted to set up a new one, and I can’t figured it out.
My project is inside a VPC, and I have a permission error on the “AWS::Lambda::Function” role:
Your access has been denied by EC2, please make sure your function execution role have permission to CreateNetworkInterface. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.
But my serverless.yml is setup the same way than my working projects:
service: AwesomeService
frameworkVersion: "=1.2.1"
custom: ${file(./environments/serverless/${env:NODE_ENV}.yml)}
provider:
name: aws
cfLogs: true
runtime: nodejs4.3
region: eu-central-1
stage: ${self:custom.stage}
memorySize: ${self:custom.memorySize}
timeout: ${self:custom.timeout}
iamRoleStatements:
- Effect: "Allow"
Action:
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DetachNetworkInterface"
- "ec2:DeleteNetworkInterface"
Resource: "*"
vpc: ${self:custom.vpc}
functions:
hello:
handler: handler.hello
events:
- http:
method: post
path: hello
cors: true
integration: lambda
As you can see, I clearly set the iamRoleStatements for EC2. Moreover, I read this in the documentation:
Further, if you have specified VPC security groups and subnets for your lambdas to use then the EC2 rights necessary to attach to the VPC via an ENI will be added into the default IAM policy.
But when the role is created, the inline policy attached is the following:
{
"Version": "2012-10-17",
"Statement": [{
"Action": ["logs:CreateLogGroup", "logs:CreateLogStream"],
"Resource": ["arn:aws:logs:eu-central-1:111118746979:log-group:/aws/lambda/AwesomeService-development-hello:*"],
"Effect": "Allow"
}, {
"Action": ["logs:PutLogEvents"],
"Resource": ["arn:aws:logs:eu-central-1:111118746979:log-group:/aws/lambda/AwesomeService-development-hello:*:*"],
"Effect": "Allow"
}]
}
No rights about EC2 are added…
Does anyone have an idea?
Many thanks