Lambda functions: Allow lambda function to use VPC

2 min read | by Jordi Prats

Lambda functions sometimes might need to interact with other AWS services that depending on how we are configuring it might need some explicit permissions to be set.

For example, if we try to assign a role with the following policy that only allows ssm:PutParameter to a lambda function:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCreateUpdateDescribeSSMParameters",
      "Effect": "Allow",
      "Action": [
        "ssm:PutParameter",
      ],
      "Resource": "*"
    }
  ]
}

We won't be able to execute the lambda function because it is not allowed to use the VPC to access private resources while the function is running. We'll get an error similar to:

The provided execution role does not have permissions to call CreateNetworkInterface on EC2 (Service: Lambda, Status Code: 400, Request ID: f05a63e7-6461-445e-a438-17cc7eba6d99)

We'll have to add a new policy (or update the existing policy) to explicitly allow some EC2 operations:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateUpdateDescribeSSMParameters",
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter",
                "ssm:DescribeParameters",
                "ssm:GetParameter*"
            ],
            "Resource": "*"
        },
        {
          "Sid": "LambdaExecution",
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeNetworkInterfaces",
            "ec2:CreateNetworkInterface",
            "ec2:DeleteNetworkInterface"
          ],
          "Resource": "*"
        }
    ]
}

Posted on 06/02/2023

Lambda functions: Allow lambda function to use VPC

Categories