AWS Lambda getting AccessDeniedException when spinning up with vpc_config

[amanbisht]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

I'm trying to spin up Lambda function with vpc_config, but I'm getting AccessDeniedException error. The role getting used in Lambda has AWSLambdaVPCAccessExecutionRole policy attached to it which give Lambda permission to create necessary resources. I have also manually (via console) created a Lambda with VPC_config using the same role created via terraform.

Terraform Version

Terraform v0.11.10

Affected Resource(s)

• aws_lambda_function

Terraform Configuration Files

resource "aws_iam_role_policy_attachment" "dummy-attachment2" {
  role       = "${aws_iam_role.dummy.name}"
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

resource "aws_lambda_function" "dummy" {
  filename      = "dummy.zip"
  function_name = "${var.environment_name}-dummy"
  role          = "${aws_iam_role.dummy.arn}"
  handler       = "index.handler"
  runtime       = "nodejs12.x"
  vpc_config {
        subnet_ids = ["${var.db_secondary_subnet_id}","${var.db_primary_subnet_id}"]
        security_group_ids = ["${aws_security_group.dummy.id}"]
    }
}

Debug Output

• aws_lambda_function.dummy: 1 error(s) occurred:

• aws_lambda_function.dummy: Error modifying Lambda Function Configuration dummy-lambda: AccessDeniedException:
  status code: 403, request id: 74e2661b-99c8-425a-98f1-11f5eef89a98

Expected Behavior

Lamba should get created as I'm able to create the Lambda using the console with the same set of permissions.

Actual Behavior

Getting AccessDenied

Steps to Reproduce

1. Create a Lambda with role attached to it which I have shared above, make sure to pass some vpc_config values.
2. terraform apply

[amanbisht]

Is there any update on this?

[looper400]

We are facing this issue. Someone please comment and help. Thanks in advance!

[akanshajain1]

I am facing the same issue. Please provide any solution. Thanks in advance.

[igor-dmitriev]

I figured it out, it turned out that my lambda source file was not accessible.

data "aws_s3_bucket_object" "jobs-lambda-s3" {
  bucket = "lambda-sources"
  key = "lambda-jobs.zip"
}

make sure that your zip file is accessible.

[akanshajain1]

For me. there was an issue with IAM: PassRole for my role.

[nikhil-goenka]

add depends_on in lambda function to wait for policies to be attached to role before lambda is being provisioned.
depends_on = [
aws_iam_role_policy_attachment.dummy-attachment2,
]

[pomcho555]

I just did stupid mistake, that mean I use different lambda layers.

Normally I use ap-northeast-1 for development. In this case I switched region to us-west-2 for practical use.
But I still use the layer on ap-northeast-1. That makes AccessDeniedException

Like me, some people may misconfigure on other region resouces

Before

  layers = [
    "arn:aws:lambda:ap-northeast-1:770693421928:layer:Klayers-python38-requests:9"
  ]

After solved😄

  layers = [
    "arn:aws:lambda:us-west-2:770693421928:layer:Klayers-python38-requests:9"
  ]

[Hailong]

I came across the same error message, while my problem is that the S3 bucket specified in the config file doesn't exist.

[justinretzolk]

Hey all 👋 Thank you for taking the time to discuss this issue. It looks like the original issue may be a result of a few different possible configuration issues rather than a bug with the provider. I'm going to go ahead and close this issue for now. If you feel I've done this in error, please do let me know.

[Elagasamel]

Je l'ai compris, il s'est avéré que mon fichier source lambda n'était pas accessible.

data "aws_s3_bucket_object" "jobs-lambda-s3" {
  bucket = "lambda-sources"
  key = "lambda-jobs.zip"
}

assurez-vous que votre fichier zip est accessible.

Bonjour, comment je peux assuré que mon fichier zip est accessible

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.