Terraform-provider-aws: lambda (with vpc) creation fails with AccessDeniedException first time

Created on 13 Jun 2017  ยท  6Comments  ยท  Source: hashicorp/terraform-provider-aws

_This issue was originally opened by @Fjandin as hashicorp/terraform#10577. It was migrated here as part of the provider split. The original body of the issue is below._

I'm on Terraform v0.7.13

I'm pretty new (1 day usage of terraform, so sorry if this question is stupid and the answer is in the documentation somehwere :P )

I have this terraform file.

test.tf.txt

It's a setup of vpc, subnets, roles, sec grp, and lambda.

When i run the first terraform apply i get 

* aws_lambda_function.main: Error creating Lambda function: AccessDeniedException: Your access has been denied by EC2, please make sure your function execution role have permission to CreateNetworkInterface. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.
    status code: 403 ...

Which i find wierd, because i have defined those permissions in the policy. If i then run terraform apply a second time, it works and the lambda is created.

bug serviclambda stale
Source
picture hashibot

Most helpful comment

@CalebMacdonaldBlack

You are missing this for your lambda IAM role

    {
      "Sid": "EniCreateDeleteAccessForVpcExecution",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
picture Puneeth-n on 24 Nov 2017
👍2

All 6 comments

I am hitting the exact same problem , on second run it works just fine
Running TF 0.9.10

Is there any word on this ?

primeroz picture primeroz on 3 Jul 2017

I appear to be running into the same issue, the policy/role absolutely allow describe/create/delete for network interfaces.

josh-janrain picture josh-janrain on 31 Jul 2017

Having the same issue here

CalebMacdonaldBlack picture CalebMacdonaldBlack on 24 Nov 2017

@CalebMacdonaldBlack

You are missing this for your lambda IAM role

    {
      "Sid": "EniCreateDeleteAccessForVpcExecution",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
Puneeth-n picture Puneeth-n on 24 Nov 2017
👍2

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] picture github-actions[bot] on 3 Apr 2020

I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 3 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ยท  3Comments
ghost picture ghost  ยท  3Comments
joelittlejohn picture joelittlejohn  ยท  3Comments
hashibot picture hashibot  ยท  3Comments
EmmN picture EmmN  ยท  3Comments