Home > Software engineering >  AWS IAM role creation is failing
AWS IAM role creation is failing

Time:01-19

I have a DynamoDB table created in account A and a role created in the same account to perform some actions on it.

This role will be assumed by a lambda function deployed in account B. Right now I am only deploying the stack with the code above in account A. The stack for account B with the cdk for the lambda function will be deployed later. This is the relevant role code for the stack deployed in account A as below:

 self._ddb_table = ddb.Table(
            self,
            id,
            .
            .
            .
            )

 ddb_lambda_role = iam.Role(self, "ddb_lambda_role",
                                          assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
                                          role_name="ddb_lambda_role"
                                          
                                          )

        ddb_policy_stmt = iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=[
                'dynamodb:Query',
                'dynamodb:GetItem',
                'dynamodb:GetRecords',
                'dynamodb:PutItem',
                'dynamodb:UpdateItem',
                'dynamodb:BatchGetItem',
            ],
            resources=[self._ddb_table.table_arn]
        )

        ddb_lambda_role.add_to_policy(ddb_policy_stmt)

This gives an error saying: The following resource(s) failed to create: [ddblambdarole...].

There is no more information provided in the cli as well as the web console. Is there anything wrong you seeing with the role created above? How do I create a cross account role in the current account A that can be assumed by a lambda function in another account, if not the way done above?

CodePudding user response:

Check your CloudTrail logs for events from iam.amazonaws.com there you will find the true reason for failure.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html#cloudtrail-log-file-examples-iam

CodePudding user response:

You should double check your role ability.

The role in account A which is assumed by lambda in account B must have the right trusted entity, in this case is the execution role of Lambda

The execution role of Lambda in account B must have the AssumeRole policy

I think all of you need here https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/

  • Related