2

I am trying to modify an example of a lambda function in java using this example:

https://github.com/awsdocs/aws-lambda-developer-guide/tree/main/sample-apps/s3-java

But in the process, I started getting random errors so I started deleting the stack and leftover resources and traying again with no lock. So I decided to redownload the example but the errors wont go away.

Even tried aws-nuke but the following error persists when trying to deploy the example:

{
        "StackId": "arn:aws:cloudformation:us-east-2:XXXXX:stack/s3-java/XXX",
        "EventId": "functionRole-CREATE_FAILED-2021-03-26T22:38:14.278Z",
        "StackName": "s3-java",
        "LogicalResourceId": "functionRole",
        "PhysicalResourceId": "s3-java-functionRole-13JFU76O57RLT",
        "ResourceType": "AWS::IAM::Role",
        "Timestamp": "2021-03-26T22:38:14.278000+00:00",
        "ResourceStatus": "CREATE_FAILED",
        "ResourceStatusReason": "ARN AWSLambdaReadOnlyAccess is not valid. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID:XXXXXXX; Proxy: null)",
        "ResourceProperties": "{\"ManagedPolicyArns\":[\"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\"arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess\",\"AWSLambdaReadOnlyAccess\",\"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole\",\"arn:aws:iam::aws:policy/AmazonS3FullAccess\"],\"AssumeRolePolicyDocument\":{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"sts:AssumeRole\"],\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"lambda.amazonaws.com\"]}}]},\"Tags\":[{\"Value\":\"SAM\",\"Key\":\"lambda:createdBy\"}]}"
    }

When I go to IAM policies, there is no policy called AWSLambdaReadOnlyAccess. How can I fix this?

Improve this question

1 Answer 1

Reset to default
2

After March 1, 2021, the AWS managed policies AWSLambdaReadOnlyAccess and AWSLambdaFullAccess will be deprecated and can no longer be attached to new IAM users. For more information about policy deprecations, see Deprecated AWS managed policies in the IAM User Guide. [1]

The Amazon Resource Name for AWSLambda_ReadOnlyAccess is arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess. You must specify the full ARN. Since you are using an AWS::Serverless::Function in your template, placing AWSLambda_ReadOnlyAccess should solve this issue. I don't know if aws-nuke also deletes AWS Managed Policies, but something to be cautious of

[1] https://docs.aws.amazon.com/lambda/latest/dg/security_iam_troubleshoot.html

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.