EC2 permissions for VPC are not set

Hi Guys,

I have multiple serverless projects up and running, but today I wanted to set up a new one, and I can’t figured it out.

My project is inside a VPC, and I have a permission error on the “AWS::Lambda::Function” role:

Your access has been denied by EC2, please make sure your function execution role have permission to CreateNetworkInterface. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.

But my serverless.yml is setup the same way than my working projects:

service: AwesomeService
frameworkVersion: "=1.2.1"
custom: ${file(./environments/serverless/${env:NODE_ENV}.yml)}
  name: aws
  cfLogs: true
  runtime: nodejs4.3
  region: eu-central-1
  stage: ${self:custom.stage}
  memorySize: ${self:custom.memorySize}
  timeout: ${self:custom.timeout}
    - Effect: "Allow"
        - "ec2:CreateNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "ec2:DetachNetworkInterface"
        - "ec2:DeleteNetworkInterface"
      Resource: "*"
  vpc: ${self:custom.vpc}
    handler: handler.hello
      - http:
          method: post
          path: hello
          cors: true
          integration: lambda

As you can see, I clearly set the iamRoleStatements for EC2. Moreover, I read this in the documentation:

Further, if you have specified VPC security groups and subnets for your lambdas to use then the EC2 rights necessary to attach to the VPC via an ENI will be added into the default IAM policy.

But when the role is created, the inline policy attached is the following:

	"Version": "2012-10-17",
	"Statement": [{
		"Action": ["logs:CreateLogGroup", "logs:CreateLogStream"],
		"Resource": ["arn:aws:logs:eu-central-1:111118746979:log-group:/aws/lambda/AwesomeService-development-hello:*"],
		"Effect": "Allow"
	}, {
		"Action": ["logs:PutLogEvents"],
		"Resource": ["arn:aws:logs:eu-central-1:111118746979:log-group:/aws/lambda/AwesomeService-development-hello:*:*"],
		"Effect": "Allow"

No rights about EC2 are added…
Does anyone have an idea?

Many thanks

I figured it out finally… You must do a first deploy of your service WITH the EC2 iamRoleStatements but WITHOUT the VPC key. Once the deployed has ended, then you can add the VPC info to your serverless.yml and make a new deploy…

Is possible to fix this?!

1 Like

Does it work if you do it in that order? I ended up with a separate script that created the user as a once off and then just reference that role in serverless.yml:

iamRoleARN: arn:aws:iam::XXXXXXXX:role/MyLambdaVpcExecutionRole

I think if your way works, it’s less moving parts though, so I’d rather do that.

Yep, my solution works.

You’ll find this mentioned a few times in some issues in GitHub.
Check our PR 2127 , I think that’s where the work is being done to fix it.