Zappa requires ec2:Describe* permissions all of a sudden

Question

Zappa requires ec2:Describe* permissions all of a sudden

Opened this issue 4 years ago · 0 comments

Starting some time tonight (ie. 10.08. to 11.08.) our automated Zappa deployment started failing with the following message:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the UpdateFunctionConfiguration operation:
Your access has been denied by EC2, please make sure your request credentials have permission to DescribeSecurityGroups for sg-1111111.
EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.

which we could "fix" by allowing ec2:Describe* (DescribeSecurityGroups itself was not enough, it kept asking for more and more things) for the user that drives the deploys.

It would be very interesting to understand why this happens (and why it wasn't needed before) though. The Lambdas we deploy using Zappa are in a VPC and talk to a RDS instance, we are using Zappa 0.51.0. No change to our codebase has been introduced that could possibly cause this.

Is there any reason this happens?