search

aws / aws-cli

Universal Command Line Interface for Amazon Web Services
Other
15.54k stars 4.13k forks source link

`aws iam wait role-exists` does not guarantee that it is assumable by Lambda #7700

Open zetaraku opened 1 year ago

zetaraku commented 1 year ago

Describe the bug

I used aws iam create-role to create a role for aws lambda create-function and found the role is not (yet) assumable. So I use aws iam wait role-exists to wait for the role to be created. But even if aws iam wait role-exists returns successfully, it cannot be assumed by Lambda instantly. A simple sleep 5 works for me but it seems unreliable. This may not be a bug but we need a way to ensure a role is usable by Lambda.

Expected Behavior

When aws iam wait role-exists returns successfully, the role should be assumable.

Current Behavior

Even if aws iam wait role-exists returns successfully, the role still cannot be assumed by Lambda, showing the following error:

An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.

Reproduction Steps

  1. Pull the repo, switch to the issue-repro branch, and install the dependencies:
git clone git@github.com:zetaraku/hello-aws-lambda-zip.git
cd hello-aws-lambda-zip
git switch issue-repro
npm install

  1. Create the role and function:

    npm run init

  2. Before trying again, run the script to delete the created role and function:

    npm run deinit

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2.4.28

Environment details (OS name and version, etc.)

Python/3.8.8 Windows/10 exe/AMD64 prompt/off

aBurmeseDev commented 1 year ago

Hi @zetaraku - thanks for reaching out. It seems like you might have to set the Trust Relationship for the IAM role, unless it's already been set. I wasn't able to reproduce it on my end but I came across these stackoverflow posts that might be helpful to you: here & here.

If the issue persists, please share debug logs by adding --debug to the command. I would also try updating your CLI to recent version, in case it might be version issue.

Best, John

zetaraku commented 1 year ago

Hi @aBurmeseDev, thanks for the reply!

Yes, it's set during the role creation. (See: aws-iam-create-role.sh and Role-Trust-Policy.json)

I have updated my AWS CLI to 2.10.3 and the issue still persists.

As described in an answer in the link you provided, and another link I found, it seems that this is a race condition and waiting or retrying is the only solution now.

I wonder how other AWS tools deal with this problem.

zetaraku commented 1 year ago

You can try moving the ./aws-iam-create-role.sh after the npm run build in package.json for the issue to be likelier to appear.

"init": "./aws-iam-create-role.sh && npm run build && ./aws-lambda-create-function.sh",
zetaraku commented 1 year ago

It would be great if there's a command like aws iam wait role-assumable to ensure the role is assumable.

yang-feng-yfeng commented 1 year ago

Morning! I have the same problem here when I create a role to be assumable by Step-Function. Is there any working around here other than just wait?