@jneves - python in a cloud world

Provided role cannot be assumed by principal ‘events.amazonaws.com’.

You did a zappa deploy and it failed with An error occurred (ValidationException) when calling the PutRule operation: Provided role <your lambda role> cannot be assumed by principal 'events.amazonaws.com'?

You tried to create a lambda with a new handmade role only to be greeted by this cryptic error message. Or you tried to use an already existing role with lambda.

Translating the message: it means you haven't authorized the lambda service to assume the role, so lambdas can't use it. So, how do we add that authorization?

Go to https://console.aws.amazon.com/iam/
Click roles on the left.
Click the role you want to use for lambda.
Click the tab trust relationships.
Click the button Edit trust relationship.
If this lambda is only to be used by lambda, you can just replace the policy by:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "apigateway.amazonaws.com",
                    "lambda.amazonaws.com",
                    "events.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

If not, just make sure you add to the Statement list the statement:

        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "apigateway.amazonaws.com",
              "lambda.amazonaws.com",
              "events.amazonaws.com"
            ]
          },
          "Action": "sts:AssumeRole"
        }

Click Update trust policy.

In the end you should see something like this:

Trust relationships for lambda

@jneves - python in a cloud world

Other articles

The role defined for the function cannot be assumed by Lambda

Other articles

links

social