Allow adding permission directly to the execution role

Question

Allow adding permission directly to the execution role

Ikana opened this issue 3 years ago · 1 comments

Ikana commented 3 years ago

Describe the Feature

There should be some variable to add permissions here.

Expected Behavior

I would expect to add permissions to the role.

Use Case

When trying to create the lambda on a VPC the following error happens:
The provided execution role does not have permissions to call CreateNetworkInterface on EC2

Attaching another policy to the lambda does not work since the attachment happens once we created lambda, and we need the CreateNetworkInterface at creation time.

Describe Ideal Solution

Some variable, to add permissions directly.

Alternatives Considered

Tried creating a policy and attaching it directly.

Additional Context

Answer 1 · 2022-04-20T16:05:33.000Z

did you passed a vpc config ?

resource "aws_iam_role_policy_attachment" "vpc_access" {
  count = local.enabled && var.vpc_config == null ? 1 : 0

  policy_arn = "arn:${local.partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
  role       = aws_iam_role.this[0].name
}