Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(@aws-cdk/aws-cloudfront): lambda@edge function execution role is missing service principal 'edgelambda.amazonaws.com'

See original GitHub issue

When creating a web distribution with a an lambda@edge function the created service role does not allow the “edgelambda.amazonaws.com” service principal to assume the role. When deploying the stack it fails with the following error message:

The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role and try again. Role: arn:aws:iam::1111111111111:role/edge-lambda-stack-eu-cen

I did create the stack in eu-central-1 as this is my default region. As the lambda@edge function needs to be created in us-east-1 the cdk automatically synthesises my construct to 2 stacks. Because of that I wasn’t able to just add the correct policy to the service role by calling edgeAuthorizerHandler.addToRolePolicy(...) as this would lead to the following error message:

Resolution error: Cannot use resource 'WebAppStack/edgeAuthorizerExecutionRole-1' in a cross-environment fashion

Reproduction Steps

import * as cdk from '@aws-cdk/core';
import * as cloudfront from '@aws-cdk/aws-cloudfront';
import * as origins from '@aws-cdk/aws-cloudfront-origins';
import * as lambda from '@aws-cdk/aws-lambda';

import { Bucket } from '@aws-cdk/aws-s3';
import { Certificate } from '@aws-cdk/aws-certificatemanager';

export class WebAppStack extends cdk.Stack {
  static readonly certificateArn = 'arn:aws:acm:us-east-1:11111111111:certificate/ddddd-ddddd-ddddd-dddd-dddd';

  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const bucket = Bucket.fromBucketAttributes(this, 'MySrcBucket', {
        bucketArn: 'arn:aws:s3:::bucket-name',
    });
    
    const certificateArn = WebAppStack.certificateArn;
    const certificate = Certificate.fromCertificateArn(this, 'WebCertificate', certificateArn);          
    
    const edgeAuthorizerHandler = new cloudfront.experimental.EdgeFunction(this, 'EdgeAuthorizer', {
      runtime: lambda.Runtime.NODEJS_12_X,
      handler: 'edge-authorizer.handler',
      code: lambda.Code.fromAsset('lambda'),      
    });
    
    const distribution = new cloudfront.Distribution(this, 'WebDistribution', {
      certificate: certificate,
      domainNames: [ 'example.com' ],
      defaultBehavior: {
        origin: new origins.S3Origin(bucket),        
        edgeLambdas: [
          {
            functionVersion: edgeAuthorizerHandler.currentVersion,
            eventType: cloudfront.LambdaEdgeEventType.VIEWER_REQUEST,
          }
        ],
      },      
    });
  }
}

What did you expect to happen?

EdgeAuthorizerHandler Service role is created with both service principals.

"EdgeAuthorizerServiceRole5D663D2D": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service":  [ 
                  "lambda.amazonaws.com",
                  "edgelambda.amazonaws.com"
                ]
              }
            }
          ],
          "Version": "2012-10-17"
        },
       ...
    },

What actually happened?

"EdgeAuthorizerServiceRole5D663D2D": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "lambda.amazonaws.com"
              }
            }
          ],
          "Version": "2012-10-17"
        },
       ...
    },

Note: When manually editing the trust relationship of the role in the AWS console, the stack deploys successfully

Environment

CDK CLI Version : 1.84.0 (build 866c8dc)
Framework Version:
Node.js Version: v12.19.0.
OS : MacOS 10.14.6
Language (Version): Typescript 4.1.3

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

4reactions

njlynchcommented, Jan 14, 2021

Must’ve been random solar flares. 🤷 Glad it’s working now!

2reactions

Jeanssecommented, Jan 14, 2021

@robertd Makes sense. Thanks for the input. I always hesitate to delete package-lock.json, however in this case I guess this would have helped.

Top Results From Across the Web

Setting IAM permissions and roles for Lambda@Edge

Function execution role for service principals. You must create an IAM role that can be assumed by the service principals lambda.amazonaws.com and edgelambda....

Why do I get 'execution role must be assumable' error when ...

From the Lambda@Edge IAM Role documentation: You must create an IAM role that can be assumed by the service principals lambda.amazonaws.com ...

Execution role must be assumable by the edgelambda ...

Lambda #Cloudfront #AWSThe execution role must be assumable by the edgelambda. amazonaws.com | Deploy to Lambda@EdgeSample Function ...

AWS Lambda@Edge created using AWS CDK doesn't put Log ...

I created a simple Lambda@Edge function like below. ... "policies": [ { "arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", ...

Lambda@Edge: run your code at CloudFront | by YR - Medium

In summer 2017, Amazon has released their Lambda@Edge service. ... Lambda Functions the code is executed on the CloudFront edge location.