By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CREATE_FAILED: IamRoleLambdaExecution

0

my task use case is

  1. Upload excel files from front end to s3 (done)
  2. Create sqs queue to process excels uploads + dlq
  3. Create producer and consumer lambda functions
  4. Add s3 upload event trigger to producer lambda
  5. Add sqs worker lambda to consumer lambda

for that i have created below cloud-formation c# template serverless.yml . when deploy locally it throws error `

service: deal-price-excel-upload
frameworkVersion: '3'

provider:
  name: aws
  runtime: dotnet6
  stage: ${sls:stage}
  region: eu-west-2

package:
  individually: true
  patterns:
    - '**/*'

functions:
  dealPriceExcelUploadProducer:
    handler: src/Handler/DealPrices/DealPriceExcelUploadProducer.Handler
    events:
      - s3:
          bucket: ag-staging-buckets
          event: s3:ObjectCreated:*
          rules:
            - prefix: uploads/deals/deal-price-excel
          existing: true

  dealPriceExcelUploadConsumer:
    handler: src/Handler/DealPrices/DealPriceExcelUploadConsumer.Handler
    events:
      - sqs: arn:aws:sqs:eu-west-2:${AWS::AccountId}:DealPriceExcelConsumerQueue
      # - sqs: arn:aws:sqs:${env:AWS_DEFAULT_REGION}:${AWS::AccountId}:DealPriceExcelConsumerQueue
  
  dealPriceExcelUploadConsumerDlq:
    handler: src/Handler/DealPrices/DealPriceExcelUploadConsumer.Handler
    events:
      - sqs: arn:aws:sqs:eu-west-2:${AWS::AccountId}:DealPriceExcelConsumerDLQ
      # - sqs: arn:aws:sqs:${env:AWS_DEFAULT_REGION}:${AWS::AccountId}:DealPriceExcelConsumerDLQ

resources:
  Resources:
    PermisionToS3AccessFunctionRole: 
      Type: AWS::IAM::Role
      Properties:
        RoleName: PermisionToS3AccessFunctionRole
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service: 
                  - lambda.amazonaws.com
              Action: 
                - 'sts:AssumeRole'
        Policies:
          - PolicyName: S3AndCloudWatchLogsPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - logs:PutLogEvents
                    - logs:CreateLogGroup
                    - logs:CreateLogStream
                  Resource: "arn:aws:logs:*:*:*"
                - Effect: Allow
                  Action:
                    - s3:GetObject
                  Resource: "arn:aws:s3:::ag-staging-buckets/*"
    

  DealPriceExcelConsumerQueue:
      Type: AWS::SQS::Queue
      Properties:
        QueueName: DealPriceExcelConsumerQueue
        RedrivePolicy:
          deadLetterTargetArn: !GetAtt DealPriceExcelUploadConsumerDlq.Arn

    DealPriceExcelUploadConsumerDlq:
      Type: AWS::SQS::Queue
      Properties:
        QueueName: DealPriceExcelUploadConsumerDlq

  Outputs:
    DealPriceExcelConsumerQueueURL:
      Description: URL of DealPriceExcelConsumer Queue
      Value: !GetAtt DealPriceExcelConsumerQueue.QueueUrl

    DealPriceExcelConsumerQueueARN:
      Description: ARN of DealPriceExcelConsumer Queue
      Value: !GetAtt DealPriceExcelConsumerQueue.Arn

    DealPriceExcelUploadConsumerDlqURL:
      Description: URL of dead-letter queue
      Value: !GetAtt DealPriceExcelUploadConsumerDlq.QueueUrl

    DealPriceExcelUploadConsumerDlqARN:
      Description: ARN of DealPriceExcelUploadConsumer Dlq
      Value: !GetAtt DealPriceExcelUploadConsumerDlq.Arn
`

Error response is

`


Deploying to stage dev
deal-price-excel-upload › waiting
deal-price-excel-upload › deploying
deal-price-excel-upload › Running "serverless deploy --stage dev"
deal-price-excel-upload › Running "serverless" from node_modules
deal-price-excel-upload › Deploying deal-price-excel-upload to stage dev (eu-west-2)
deal-price-excel-upload › × Stack deal-price-excel-upload-dev failed to deploy (30s)
deal-price-excel-upload › Environment: linux, node 20.10.0, framework 3.38.0 (local) 3.38.0v (global), plugin 7.2.0, SDK 4.5.1
deal-price-excel-upload › Credentials: Local, "default" profile
deal-price-excel-upload › Docs:        docs.serverless.com
deal-price-excel-upload › Support:     forum.serverless.com
deal-price-excel-upload › Bugs:        github.com/serverless/serverless/issues
deal-price-excel-upload › Error:
deal-price-excel-upload › CREATE_FAILED: IamRoleLambdaExecution (AWS::IAM::Role)
deal-price-excel-upload › Resource handler returned message: "The policy failed legacy parsing (Service: Iam, Status Code: 400, Request ID: 730862c6-b605-4c15-8b58-7c691fe36aa4)" (RequestToken: 0227d58a-8023-16c4-346a-986b9558862c, HandlerErrorCode: InvalidRequest)
deal-price-excel-upload › 
deal-price-excel-upload › View the full error: https://eu-west-2.console.aws.amazon.com/cloudformation/home?region=eu-west-2#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aeu-west-2%3A590183890325%3Astack%2Fdeal-price-excel-upload-dev%2Fcfd04531-fc20-11ee-b794-0a739426bea1
deal-price-excel-upload › error
deal-price-excel-upload › Error:
deal-price-excel-upload › CREATE_FAILED: IamRoleLambdaExecution (AWS::IAM::Role)
deal-price-excel-upload › Resource handler returned message: "The policy failed legacy parsing (Service: Iam, Status Code: 400, Request ID: 730862c6-b605-4c15-8b58-7c691fe36aa4)" (RequestToken: 0227d58a-8023-16c4-346a-986b9558862c, HandlerErrorCode: InvalidRequest)
deal-price-excel-upload › 
deal-price-excel-upload › View the full error: https://eu-west-2.console.aws.amazon.com/cloudformation/home?region=eu-west-2#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aeu-west-2%3A590183890325%3Astack%2Fdeal-price-excel-upload-dev%2Fcfd04531-fc20-11ee-b794-0a739426bea1
deal-price-excel-upload ›

` please help me to sort out this error

Topics
ServerlessComputeManagement & GovernanceApplication IntegrationSecurity, Identity, & Compliance.NET on AWS
Tags
AWS LambdaAWS CloudFormationAmazon Simple Queue ServiceIAM Policies.NET on AWS
Language
English
AG Muhammed
asked 13 days ago146 views
3 Answers
0
Accepted Answer

when i correct resources like this sort out my issue

Resources:
    DealPriceExcelConsumerQueue:
      Type: AWS::SQS::Queue
      Properties:
        QueueName: DealPriceExcelConsumerQueue
        RedrivePolicy:
          deadLetterTargetArn: !GetAtt DealPriceExcelConsumerDLQ.Arn
          maxReceiveCount: 5
      UpdateReplacePolicy: Snapshot
    
    DealPriceExcelProducerDLQ:
      Type: AWS::SQS::Queue
      Properties:
        QueueName: DealPriceExcelProducerDLQ
      UpdateReplacePolicy: Snapshot

    DealPriceExcelConsumerDLQ:
      Type: AWS::SQS::Queue
      Properties:
        QueueName: DealPriceExcelConsumerDLQ
      UpdateReplacePolicy: Snapshot
    
    DealPriceExcelConsumerQueuePolicy:
      Type: AWS::SQS::QueuePolicy
      Properties:
        Queues:
          - !Ref DealPriceExcelConsumerQueue
          - !Ref DealPriceExcelConsumerDLQ
          - !Ref DealPriceExcelProducerDLQ
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action: 
                - 'sqs:DeleteMessage'
                - 'sqs:GetQueueAttributes'
                - 'sqs:ReceiveMessage'
                - 'sqs:SendMessage'
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              Resource: 'arn:aws:sqs:eu-west-2:${AWS::AccountId}:DealPriceExcelConsumerQueue'
            - Effect: Allow
              Action: 
                - 'sqs:DeleteMessage'
                - 'sqs:GetQueueAttributes'
                - 'sqs:ReceiveMessage'
                - 'sqs:SendMessage'
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              Resource: 'arn:aws:sqs:eu-west-2:${AWS::AccountId}:DealPriceExcelUploadConsumersDlq'
            - Effect: Allow
              Action: 
                - 'sqs:DeleteMessage'
                - 'sqs:GetQueueAttributes'
                - 'sqs:ReceiveMessage'
                - 'sqs:SendMessage'
                - 'logs:CreateLogGroup'
                - 'logs:CreateLogStream'
                - 'logs:PutLogEvents'
              Resource: 'arn:aws:sqs:eu-west-2:${AWS::AccountId}:DealPriceExcelProducerDLQ'
    
    DealPriceExcelEventTriggerPolicy:
      Type: AWS::IAM::Policy
      Properties:
        PolicyName: DealPriceExcelEventTriggerPolicy
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - logs:PutLogEvents
                - logs:CreateLogGroup
                - logs:CreateLogStream
              Resource: 'arn:aws:logs:*:*:*'
            - Effect: Allow
              Action:
                - s3:GetObject
              Resource: 'arn:aws:s3:::${self:custom.bucketName}/*'
        Roles: 
          - !Ref DealPriceExcelExecutionRole

    DealPriceExcelExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
                  - sqs.amazonaws.com
                  - s3.amazonaws.com
              Action:
                - sts:AssumeRole
        Policies:
          - PolicyName: DealPriceExcelEventTriggerPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - logs:PutLogEvents
                    - logs:CreateLogGroup
                    - logs:CreateLogStream
                  Resource: 'arn:aws:logs:*:*:*'
                - Effect: Allow
                  Action:
                    - s3:GetObject
                  Resource: 'arn:aws:s3:::${self:custom.bucketName}/*'
          - PolicyName: SQSPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                  - lambda:CreateEventSourceMapping
                  - lambda:ListEventSourceMappings
                  - lambda:ListFunctions
                  - sqs:DeleteMessage
                  - sqs:GetQueueAttributes
                  - sqs:ReceiveMessage
                  - sqs:SendMessage
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  Resource: "*"

    DealPriceExcelUploadProducerFunction:
      Type: AWS::Lambda::Function
      Properties: 
        Role: !GetAtt DealPriceExcelExecutionRole.Arn
        Runtime:  nodejs18.x
        FunctionName: DealPriceExcelUploadProducerFunction
        Handler:  index.handler
        DeadLetterConfig:
          TargetArn: !GetAtt DealPriceExcelProducerDLQ.Arn
        Environment:
          Variables:
            producerQueueUrl: !Ref DealPriceExcelConsumerQueue
            producerDlQueueUrl: !Ref DealPriceExcelProducerDLQ
        Code:
          ZipFile: |
            import { S3Client } from "@aws-sdk/client-s3";
            import { SQS } from "@aws-sdk/client-sqs";
            const region = process.env.AWS_REGION ??"eu-west-2";
            const s3 = new S3Client({ region: region });
            const sqs = new SQS({ apiVersion: "2012-11-05",region:region });
            const producerQueueUrl = process.env.producerQueueUrl;
            const producerDlQueueUrl = process.env.producerDlQueueUrl;

            export const handler = async (event): Promise<string | undefined> => {
              for (const record of event.Records) {
                let retryCount = 0;
                const maxRetries = 5;
                while (retryCount <= maxRetries) {
                  try {
                  await  ProcessEvent(record,producerQueueUrl);
                    retryCount = 0;
                    return event;
                  } catch (err) {
                    if (retryCount == maxRetries) {

                        AddToDlq(record);
                      return event;
                    }
                    retryCount++;
                  }
                }
              };
              return  event;
            };

            const ProcessEvent = async (
              record,
              queueUrl:string
            ) => {
              const bucket = record.s3.bucket.name;
              const key = decodeURIComponent(record.s3.object.key.replace(/\+/g, " "));
              const payload = {
                Bucket: bucket,
                Key: key,
              };

              const messageBody = JSON.stringify(payload);
              await sqs.sendMessage({
                MessageBody: messageBody,
                QueueUrl:   queueUrl
              });
            };

            const AddToDlq= async( record)=>{
              await  ProcessEvent(record, producerDlQueueUrl);
            };
AG Muhammed
answered 3 days ago
0

Hello.

Judging from the content of the error, it appears that there is a problem with the syntax of the IAM policy.
However, looking at the template, there didn't seem to be any problems with the syntax.
It may not matter much, but why not try changing all double quotes to single quotes?
I have had experience of resolving errors using it in the past.

Also, Check which resources are causing creation errors directly from the CloudFormation stack screen.

profile picture
EXPERT
Riku_Kobayashi
answered 13 days ago
0

It looks like you are using the Serverless Framework. In your functions, section try using ${aws:accountId} rather than ${AWS::AccountId} in your ARN references. That is the Serverless native way to substitute the current account ID[1]. The functions section is not CloudFormation, so I do not believe that the CloudFormation pseudo-parameter ${AWS::AccountId} can be used.

[1] https://www.serverless.com/framework/docs-providers-aws-guide-variables

profile pictureAWS
Sean Nixon
answered 13 days ago
profile pictureAWS
EXPERT
ben-from-aws
reviewed 12 days ago
  • AG Muhammed
    11 days ago

    not sorted the issue here i have to configure all permission using cloudformation template

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content