stackoom
  简体   繁体   中英

AWS IAM role creation is failing

 原文  2023-01-19 01:16:47       python-3.x/ aws-lambda/ amazon-dynamodb/ amazon-iam/ aws-cdk

Question

I have a DynamoDB table created in account A and a role created in the same account to perform some actions on it.

This role will be assumed by a lambda function deployed in account B. Right now I am only deploying the stack with the code above in account A. The stack for account B with the cdk for the lambda function will be deployed later. This is the relevant role code for the stack deployed in account A as below:

 self._ddb_table = ddb.Table(
            self,
            id,
            .
            .
            .
            )

 ddb_lambda_role = iam.Role(self, "ddb_lambda_role",
                                          assumed_by=iam.ServicePrincipal("lambda.amazonaws.com"),
                                          role_name="ddb_lambda_role"
                                          
                                          )

        ddb_policy_stmt = iam.PolicyStatement(
            effect=iam.Effect.ALLOW,
            actions=[
                'dynamodb:Query',
                'dynamodb:GetItem',
                'dynamodb:GetRecords',
                'dynamodb:PutItem',
                'dynamodb:UpdateItem',
                'dynamodb:BatchGetItem',
            ],
            resources=[self._ddb_table.table_arn]
        )

        ddb_lambda_role.add_to_policy(ddb_policy_stmt)

This gives an error saying: The following resource(s) failed to create: [ddblambdarole...].

There is no more information provided in the cli as well as the web console. Is there anything wrong you seeing with the role created above? How do I create a cross account role in the current account A that can be assumed by a lambda function in another account, if not the way done above?

EDIT

Adding screenshot在此处输入图像描述

2 answers

solution1
 0  2023-01-19 09:11:41

Check your CloudTrail logs for events from iam.amazonaws.com there you will find the true reason for failure.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html#cloudtrail-log-file-examples-iam

solution2
 -1  2023-01-19 03:13:42

You should double check your role ability.

The role in account A which is assumed by lambda in account B must have the right trusted entity, in this case is the execution role of Lambda

The execution role of Lambda in account B must have the AssumeRole policy

I think all of you need here https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Difference between IAM role and IAM user in AWS AWS IAM Role vs Group AWS: Do the AWS IAM role and IAM user permissions add up Terraform AWS Newrelic Integration with IAM Role AWS MSK Connectors for Debezium IAM Role Problem aws iam role succesfully created but unvailable Terraform AWS iam role AlreadyExists error AWS - IAM User Role Permissions are not Propagating to User IAM role to access services of another AWS account What is the meaning of aws_iam_role and aws_iam_role_policy?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM