More newbie help needed for "Error: Failed to manage IAM roles!"

[nealmcb]

Context

When I try to use the simple-looking instructions in the README, and deploy, I get

Error: Failed to manage IAM roles!
You may lack the necessary AWS permissions to automatically manage a "Zappa" execution role.

Visiting the listed help page (https://github.com/Miserlou/Zappa#using-custom-aws-iam-roles-and-policies) doesn't help much. It just claims that

By default, the Zappa client will create and manage the necessary IAM policies and roles to execute Zappa applications.

which leaves me very unsure about the AWS setup necessary. I'm not in some corporation that has restrictive policies. But I also I don't have some sort of default AWS user lying around that seems to fit the bill, and I don't see any clear documentation on how to create one. Disclaimer: I started using AWS back in 2007, and some of my configuration may be archaic or confused after years of occasional experiments.

So I'm looking for some sort of easy default user permissions configuration that still doesn't do something rude like give full AWS admin access to zappa or this little test script.

Issue #244 Minimum AWS policies for example looks like an attempt to address this in a more advanced way, and it also leaves me scratching my head. The nicest detailed and spelled-out advice there is from ysong-sc (thanks!): https://github.com/Miserlou/Zappa/issues/244#issuecomment-268492715, but when I do the copy-paste job suggested there, and even after I try to fix some of the customization that isn't mentioned, like changing "[BUCKET-NAME-IN-SETTINGS-JSON]" twice to the value that zappa init gave me, I still get

This policy contains the following error: There are invalid ARNs in the policy. For more information about the IAM policy grammar, see AWS IAM Policies.

The policy I'm trying is pol3.txt

## Your Environment

• Zappa version used: 0.41.2
• Operating System and Python version: Ubuntu Trusty 14.04, Python 3.4.3
• Link to your project (optional):
• Your zappa_settings.py:

{
    "dev": {
        "app_function": "happy_birthday.__hug_wsgi__",
        "aws_region": "us-east-1",
        "profile_name": "zappa",
        "s3_bucket": "zappa-y1015l3dv"
    }
}

[nealmcb]

My security colleagues will shake their heads and sigh, but I just threw caution to the wind and gave my zappa user AdministratorAccess, and got my first zappa deployment up and running (with Hug!).

The good news is that it seems that I can now remove admin permissions and the deployed app continues to work, presumably because there are a few roles like ...ZappaLambdaExecutionRole defined.

I'm still looking for a simple but more restrictive recipe. Or, I guess if admin is what is expected, I'd suggest adding that to the README.

I'm still puzzled about my why my attempts to use that pol3.txt policy from above are failing, and I do recommend fleshing all that out into a more secure/best practices approach.

[dangayle]

I'm in the same exact boat. Gotta get it to work, so I add Admin access and get on with business.

[zaraken]

I've encountered that error as well and here's why. I think you should manually set the IAM role anyways, but setting it revealed what caused the problem for me. Namely, my clock was running 2 hours ahead and the time difference was too big. Setting the correct time solved the problem. I get this time mismatch since I dual boot Windows and Ubuntu and they can't agree on the time.

EDIT: Above is more of a special case that I originally posted. What you are encountering is more of an AWS issue than Zappa issue. Please refer to AWS Docs to see what permissions are required to manage IAM Roles because those might actually change over time. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-users There are two things that you need to manage when working with lambdas.

• The permissions of the user that deploys the lambda (possibly with Zappa but not necessarily) and
• the permissions of the role that a lambda assumes when running.

When deploying with Zappa you use some user to login to AWS, upload the code and configure a few things. One of those things is na IAM role (different from the user that you use to deploy) that the lambda assumes when running. You can create an IAM role with respective permissions specifying what resources a lambda can access and put that role in zappa_settings, or you can let Zappa create one for you, in which case the user you are using to deploy needs permission to create an IAM role. In both cases the deploy user will need a aws:passrole permission to be able to tell the lambda to assume the respective role (either created by you, or by Zappa)

Since it can be a bit overwhelming when you first start with this, you could do the following:

• Create a new basic project
• Deploy once with an admin user. Zappa will create an execution role with some basic permissions for the lambda to run with named ZappaExecutionRole or something similar (find it in the AWS IAM console, copy, rename, study and/or update its permissions if you want)
• You can now specify this ZappaExecutionRole in zappa_settings and Zappa will not need to crate it, hence the deploy user won't need to manage IAM roles.
• Deploy your "real" projects with a user with restricted access from there on.

You can now also update the permission of ZappaExecutionRole manually to add/remove what resources lambdas have access to.

It is very likely that different lambdas will need access to different resources. It then makes sense to have multiple ExecutionRoles defined for each lambda that you run.

[bsamadi]

I have the same problem.

$ zappa deploy dev Calling deploy for stage dev.. Creating lambda-tutorial-dev-ZappaLambdaExecutionRole IAM Role.. Error: Failed to manage IAM roles! You may lack the necessary AWS permissions to automatically manage a Zappa execution role. To fix this, see here: https://github.com/Miserlou/Zappa#using-custom-aws-iam-roles-and-policies

I have given the user the following permissions:

AWSLambdaFullAccess IAMFullAccess AmazonS3FullAccess AmazonDynamoDBFullAccess AdministratorAccess AmazonAPIGatewayAdministrator AmazonAppStreamFullAccess

I haven't seen any description of what permissions are required.

My zappa-settings.json is:

{ "dev": { "app_function": "appname.init.create_app", "aws_region": "us-east-1", "profile_name": "default", "project_name": "development", "runtime": "python3.6", "s3_bucket": "zappa-5qkcme1tu", "extra_permissions": [{ "Effect": "Allow", "Action": ["rekognition:"], "Resource": "" }] } }

[Vijaya-Raghavan]

Calling deploy for stage dev.. Creating *** IAM Role.. Error: Failed to manage IAM roles! You may lack the necessary AWS permissions to automatically manage a Zappa execution role. To fix this, see here: https://github.com/Miserlou/Zappa#using-custom-aws-iam-roles-and-policies

Attached directly AmazonEC2FullAccess AWSLambdaFullAccess IAMFullAccess AmazonS3FullAccess AdministratorAccess AmazonAPIGatewayAdministrator AmazonAppStreamFullAccess

zappa_settings.json

"dev": { "aws_region": "us-east-2", "profile_name": "**", "project_name": "***", "runtime": "python3.6", "s3_bucket": "zappa-gm22vtadn", "debug": true, "log_level": "DEBUG", "parameter_depth": 1, "role_name": "****", "extra_permissions": [{ "Effect": "Allow", "Action": ["rekognition:"], "Resource": "" }] }

I get the same error even after modifying modifying the code with previous comments.

[miguel550]

I have the same issue, after a week did someone fix this?

[lookfwd]

Gave it AdministratorAccess and IAM-related roles and it worked. Definitely not a secure solution. Removed them afterwards.

[jonahx]

I'm looking for a solution to this as well...

[humbleengineer]

I've just used CloudTrail to see which actions were denied, and have managed to deploy using a non-root user by giving them the following still-rather-alarmingly-broad permissions in the IAM Console: AmazonEC2FullAccess IAMSelfManageServiceSpecificCredentials AWSLambdaFullAccess IAMFullAccess AmazonS3FullAccess AmazonAPIGatewayInvokeFullAccess *CloudFormationFullAccess AmazonAPIGatewayAdministrator AWSCloudFormationReadOnlyAccess

CloudFormationFullAccess doesn't seem to exist as a standard AWS policy, probably for good reasons, so I had to create it using the visual editor although I probably could have guessed the resulting JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        }
    ]
}

AWSCloudFormationReadOnlyAccess and AmazonAPIGatewayInvokeFullAccess are probably redundant but it were in there when I ran my deploy so I've left it for completeness. Looking at CloudTrail it looks like AmazonEC2FullAccess is also not needed

[ryanjdillon]

I got the following error when trying to deploy with an existing Role created with CloudFormation

Calling deploy for stage staging..
Creating zappa-permissions policy on my-Role-name IAM Role.
Updating assume role policy on my-Role-name IAM Role.
Error: Failed to manage IAM roles!
You may lack the necessary AWS permissions to automatically manage a Zappa execution role.
To fix this, see here: https://github.com/Miserlou/Zappa#custom-aws-iam-roles-and-policies-for-deployment

Adding the following policy to the profile I was Zappa deploying with did the trick:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:UpdateAssumeRolePolicy",
                "iam:AttachRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}

It seems the zappa-permissions policy created is adequate, you just need to have the permissions to update your role. I am guessing it is the first that did it, given the error. I'm going to redo my setup adding UpdateAssumeRolePolicy to my Role.

[SurajB]

I had the same problem.

Error: Failed to manage IAM roles! You may lack the necessary AWS permissions to automatically manage a Zappa execution role. To fix this, see here: https://github.com/Miserlou/Zappa#custom-aws-iam-roles-and-policies-for-deployment

I had everything in place wrt zappa settings but still couldn't find a solution. After a while tried tweaking the name of the project. It was quite long and shortened the project name from "project_name": "scf-payment-gateway-services" to "project_name": "scf-pg-services".

Deployed and it worked!

[ostheperson]

Thread seems old, but, I encountered the same issues and tried the fix zappa recommended and it worked fine.

[souravjamwal77]

Hi @ostheperson, the new aand active repo is here Zappa