- Newest
- Most votes
- Most comments
From the link you mentioned it's no where mentioned that it's trying to setup deploy lambda cross account.
Are you sure, you are deploying this lambda while staying connected to the same account. It seems that you might not be connected to the account, where you intend to deploy, which is why you are getting "Error creating Lambda function: Cross-account pass role is not allowed".
If this setup is for cross account:
1. Account-1, from where you deploy this lambda, role should have following permission:
AssumeRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action: ["sts:AssumeRole"]
Resource: !Sub "arn:aws:iam::${TargetDeploymentAccountId}:role/lambda-execution-role
Effect: Allow
2. Account-2, Target Deployment Account:
CrossAccountPassRole:
Type: AWS::IAM::Role
Properties:
RoleName: cross-account-pass-role
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${DeploymentAccountId}:root" <--- Or replace the root with the Account1 role(which you used in CLI commands), which is deploying lambda
Action: sts:AssumeRole
CrossAccountPAssRolePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: CrossAccountPassRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource: "*"
Roles: [!Ref CrossAccountPassRole]
For more details, see Identity based IAM policies for lambda
In summary, the role which is being used to deploy the lambda function, should have access to passrole permissions to lambda execution role. If both roles are in same account, then only first part is needed(that might already be there, so nothing might be required. Since error suggests cross account, which means lambda execution role in account2 should allow account1 role, which is why I mentioned setup at account-2 side as well.
Feel free to comment here if you have any additional questions, happy to help.
Error message "Error creating Lambda function: Cross-account pass role is not allowed" typically occurs when you are attempting to create or update an AWS Lambda function using an IAM role from a different AWS account.
Lambda functions require an IAM role to define the necessary permissions for the function to execute. By default, the role used must be within the same AWS account as the Lambda function.
Depends on your case secnario you will choose between these alternatives:
1). Use a role from the same AWS account: Ensure that the IAM role you are specifying for your Lambda function belongs to the same AWS account. You can create a new IAM role within the same AWS account and assign it the necessary permissions for your Lambda function. Then, use that role when creating or updating your Lambda function.
2). Share the IAM role across accounts (cross-account access): If you specifically need to use an IAM role from a different AWS account, you can set up cross-account access. This involves creating a trust relationship between the two AWS accounts, allowing the IAM role from one account to be assumed by the Lambda function in the other account. Ensure appropriate permissions in both accounts. You should consult the AWS documentation for detailed instructions on setting up cross-account access. NOTE watch out for the ARN in the details in the resources used in your IAM policies. Let me know if this help.
Hi. Check the Arn of Role when you executing command.It seems that the error regarding the cross-account occurred because the arn of the role created by another account was specified.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 9 months ago
If you have additional questions, please comment here, else please accept the answer for better community experience. Thank you.