search

silvermine / serverless-plugin-cloudfront-lambda-edge

Adds Lambda@Edge support to Serverless
MIT License
296 stars 41 forks source link

The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals #63

Closed pauloapi closed 3 years ago

pauloapi commented 3 years ago 
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service cloudfront-handler.zip file to S3 (839 B)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
........
Serverless: Stack update finished...
Service Information
service: cloudfront-handler
stage: dev
region: us-east-1
stack: cloudfront-handler-dev
resources: 6
api keys:
  None
endpoints:
  None
functions:
  modify-response-header: cloudfront-handler-dev-modify-response-header
layers:
  None
arn:aws:lambda:us-east-1:XXXXXXXXXX:function:cloudfront-handler-dev-modify-response-header:3 is associating to XXXXXX CloudFront Distribution. waiting for deployed status.
{ ServerlessError: The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::XXXXXXXXXX:role/cloudfront-handler-dev-us-east-1-lambdaRole
    at promise.catch.err (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:326:27)
    at process._tickCallback (internal/process/next_tick.js:68:7)
  code: undefined,
  providerError:
   { InvalidLambdaFunctionAssociation: The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::XXXXXXXXXX:role/cloudfront-handler-dev-us-east-1-lambdaRole
       at Request.extractError (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/protocol/rest_xml.js:53:29)
       at Request.callListeners (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
       at Request.emit (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
       at Request.emit (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:688:14)
       at Request.transition (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
       at AcceptorStateMachine.runTo (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
       at /home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10
       at Request.<anonymous> (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:38:9)
       at Request.<anonymous> (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:690:12)
       at Request.callListeners (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
       at Request.emit (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
       at Request.emit (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:688:14)
       at Request.transition (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
       at AcceptorStateMachine.runTo (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
       at /home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10
       at Request.<anonymous> (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:38:9)
       at Request.<anonymous> (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:690:12)
       at Request.callListeners (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
       at callNextListener (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
       at IncomingMessage.onEnd (/home/user/.nvm/versions/node/v10.21.0/lib/node_modules/serverless/node_modules/aws-sdk/lib/event_listeners.js:307:13)
       at IncomingMessage.emit (events.js:203:15)
       at IncomingMessage.EventEmitter.emit (domain.js:448:20)
       at endReadableNT (_stream_readable.js:1145:12)
       at process._tickCallback (internal/process/next_tick.js:63:19)
     message:
      'The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::XXXXXXXXXX:role/cloudfront-handler-dev-us-east-1-lambdaRole',
     code: 'InvalidLambdaFunctionAssociation',
     time: 2021-02-02T07:44:57.603Z,
     requestId: '017e557e-def9-4941-ba87-6f46ab001c3f',
     statusCode: 400,
     retryable: false,
     retryDelay: 47.78950550349599 } }

  Serverless Error ---------------------------------------

  The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::XXXXXXXXXX:role/cloudfront-handler-dev-us-east-1-lambdaRole

  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com

  Your Environment Information ---------------------------
     Operating System:          linux
     Node Version:              10.21.0
     Framework Version:         1.74.1
     Plugin Version:            3.6.14
     SDK Version:               2.3.1
     Components Version:        2.31.7
pauloapi commented 3 years ago

Fixed it by adding custom lambda role

functions:
  modify-response-header:
    role: CloudFrontResponseHandlerRole
    handler: index.handler
    events:
      - preExistingCloudFront:
          distributionId: XXXXXX
          eventType: origin-response
          pathPattern: "*"

resources:
  Resources:
    CloudFrontResponseHandlerRole: 
      Type: AWS::IAM::Role
      Properties:
        Path: /
        RoleName: cloudfront-response-handler-${self:provider.stage}-role
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
                  - edgelambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: cloudfront-response-handler-${self:provider.stage}-policy
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - logs:CreateLogGroup
                    - logs:CreateLogStream
                    - logs:PutLogEvents
                  Resource:
                    - 'Fn::Join':
                      - ':'
                      -
                        - 'arn:aws:logs'
                        - Ref: 'AWS::Region'
                        - Ref: 'AWS::AccountId'
                        - 'log-group:/aws/lambda/*:*:*'
                - Effect: Allow
                  Action:
                    - ec2:CreateNetworkInterface
                    - ec2:DescribeNetworkInterfaces
                    - ec2:DetachNetworkInterface
                    - ec2:DeleteNetworkInterface
                  Resource: "*"