Unable to deploy lambda with specific VPC and SG

marcteit · September 8, 2016, 2:31am

Hi there,

I’m developing a Lambda function that connects to an RDS database, therefore I need to associate the Lambda function to a VPC and Segurity Groups.
I’ve tried all possible config combinations, but I can’t deploy a Lambda associated to VPC and SG. I’m currently using version RC1. The error is:

An error occurred while provisioning your stack: HelloLambdaFunction
- Your access has been denied by EC2, please make sure
your function execution role have permission to CreateNetworkInterface.
EC2 Error Code: UnauthorizedOperation. EC2 Error Message:
You are not authorized to perform this operation…

My serverless.yml file is:

service: foo

provider:
name: aws
runtime: nodejs4.3
iamRoleStatements:
- Effect: "Allow"
Action:
- “ec2:CreateNetworkInterface”
- “ec2:DescribeNetworkInterfaces”
- "ec2:DeleteNetworkInterface"
Resource: "*"
vpc:
securityGroupIds:
- sg-a9a21fd3
subnetIds:
- subnet-753c3e03
- subnet-470a387a
- subnet-0c93c126
- subnet-80540bd8
functions:
hello:
handler: handler.hello

Can someone help?

guolei · September 14, 2016, 2:53pm

hi, did you make it working? I got exactly the same issue.

linxet · September 23, 2016, 2:14pm

Hi!

It seems that the team is working on this issue and simplifying the vpc stuff in this PR. Maybe we should wait some weeks for it.

marcteit · September 26, 2016, 1:22am

I’ve discovered a workaround for the current RC version.

1 - Edit your yml file and remove all SecurityGroups and Subnet configuration
2 - Add the following resource:

resources:
Resources:
AWSLambdaVPCAccessExecutionRole:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Policy for allowing vpc connection.
Roles:
- {“Ref” : “IamRoleLambdaExecution”}
PolicyDocument:
Version: '2012-10-17’
Statement:
Effect: Allow
Action:
- “ec2:CreateNetworkInterface”
- “ec2:DescribeNetworkInterfaces”
- "ec2:DeleteNetworkInterface"
Resource: “*”

3 - Run sls deploy
4 - Notice that your Lambdas won’t work without the VPC/SG configurations, however Serverless will create the role correctly.
5 - Edit your yml file again and add the VPC/SG configurations
6 - Run sls deploy again.

Notice that Serverless works with Cloudformation, which updates the stack everytime you deploy.

Topic		Replies	Views
Help regarding VPC and other external resource Serverless Framework aws	4	7755	May 20, 2017
EC2 permissions for VPC are not set Serverless Framework aws	4	5413	November 26, 2016
Lambda Deploy into VPC Serverless Framework aws	7	29083	November 6, 2020
CloudFormation - CREATE_FAILED while using existing s3 bucket without `iam:CreateRole` Serverless Framework aws , lambda , security , cloudformation , iam	3	2509	August 3, 2023
Serverless AWS credentials issue Node.js Serverless Framework aws	2	1578	March 5, 2018

Unable to deploy lambda with specific VPC and SG

Related Topics