AccessDenied: User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxx:role/aws-lambda-image-executor

[itinance]

Can someone explain to me why our AWS-user having Full S3 Access isn't able to create a IAM Role?

I get this error while deploying very soon:

$ npm run deploy

[email protected] deploy /data/workspace/aws-lambda-image
claudia create --profile $npm_package_config_profile --region $npm_package_config_region --version dev --handler index.handler --no-optional-dependencies --timeout $npm_package_config_timeout --memory $npm_package_config_memory --policies policies/*.json

initialising IAM role iam.createRole RoleName=aws-lambda-image-executor
{ AccessDenied: User: arn:aws:iam::xxxxx:user/yyyyy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxx:role/aws-lambda-image-executor

Any help would be greatly appreciated!

[itinance]

Adding the following policy to the user put me one step ahead.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Now another issue occurs:

{ AccessDenied: User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: iam:PutRolePolicy on resource: role aws-lambda-image-executor

Seems that there is no real "admin" user having access to everything.

[itinance]

Modifiying the policy from latest comment and adding the action: "iam:PutRolePolicy" fixed this issue.
Now it fails with "role already exits" so i had to remove the already created role manually.

Next issue that appears then is "user is not authorized to perform: lambda:CreateFunction on resource"
going on with "is not authorized to perform: iam:PassRole on resource:".

There is a big zoo of missing permissions. Can someone publish a policy with all actions that are required for being whitelistet?

[itinance]

This is my policy but it still fails on missing permissions for "iam:PassRole":

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

[itinance]

At the end some more Policy-Entries was required:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
"lambda:AddPermission"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

But now i stuck with

"claudia.json already exists in the source folder".

(which exists then in the root folder and needs to removed)

All my attempts tell me that the script isnt able to get executed repeated like only to create a role if it is not exiting and only create a function after deleting an existing one and so on.
Am i right with this or did i something wrong?

[itinance]

Finally give up now with this one, which can't be solved even with adding the specific actions to the users policy:

user is not authorized to perform: lambda:AddPermission on resource
user is not authorized to perform: lambda:UpdateFunctionCode

What are the other people doing with this repo? Any ideas?

UPDATE: finally figured out that AWS sometimes needs up to 10 minutes to apply policies

[itinance]

This is the final policy that is required to deploy the lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

[ysugimoto]

@itinance It seems a running user permission issue. What is user running a command? and Does that user have a permission to execute add iam and lambda roles?

[omnilinguist]

^ looks like iam:DetachRolePolicy is needed for CloudFormation rollback also?

[stewa11]

A huge thanks for this post. Using VS2019 ASP.Net Core and AWS.
Notes for a newbie: in IWS console, choose IWS, create a new policy against the user, click the JSON tab and pop this code in and the error goes away. Just for completion here is the code I used:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1482712489000",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile",
"iam:CreateRole",
"iam:PutRolePolicy",
"lambda:CreateFunction",
"lambda:InvokeAsync",
"lambda:InvokeFunction",
"iam:PassRole",
"lambda:UpdateAlias",
"lambda:CreateAlias",
"lambda:GetFunctionConfiguration",
"lambda:AddPermission"
],
"Resource": [
"*"
]
}
]
}

[jilna]

iam:AttachRolePolicy is also needed

[Atenadru]

in aws you must -> create new politic and pest the above 💥🤷‍♀️✔

[francescotaioli]

Like other have said (@stewa11 and @itinance , this is the configuration to put as Permission to the user
Note: wait some time for the changes to take effect!

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1482712489000",
            "Effect": "Allow",
            "Action": [
                "iam:CreateRole",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "lambda:CreateFunction",
                "lambda:InvokeAsync",
                "lambda:InvokeFunction",
                "iam:PassRole",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

[areedev]

In my case, it was solved by allowing IAM user iam:createRole and iam:createPolicy action.