AWS Lambda: Cross-account pass role is not allowed.

aws, Uncategorized 1 Minute

Today I came across the following exception while working with the AWS SDK for Amazon Lambda:

com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: xxx)

At first I was a bit puzzled where this exception might come from; but when I found out what the problem was, it seemed to be pretty obvious:

I tried to upload a lambda function to one AWS account while specifying an execution role that belonged to another AWS account.

So that could easily be fixed by providing a role belonging to the correct account!

Alternatively, this error might also occur when you deploy a lambda function which has references to another cross-account role in the template.yaml file (as mentioned by Steven T in the comments below)

UPDATE

As mentioned in the comments by rjhintz, if you require to use the role from another user, you can do so by modifying the policy for the role as follows:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "arn:aws:iam::123456789012:user/user1",
               "arn:aws:iam::123456789012:user/user2"
            ],
            "Service":"ec2.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

Published by Max Rohde

Published

6 thoughts on “AWS Lambda: Cross-account pass role is not allowed.

  1. I wonder if you could still use the other account if you explicitly added a trust relationship to the account/user in the role’s IAM trust policy.

    Reply

    1. That’s a good point! Have you tried it?

      That would probably mean to add something like the following to the policy?

      {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::AWS account ID that contains the role:role/role name"
      }

      Reply

  2. In IAM for a role, under Trust Relationship, you could try adding something like this for each user who will call the function, substituting the account number(s), user name(s), and service name(s)


    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::123456789012:user/user1",
    "arn:aws:iam::123456789012:user/user2"
    ],
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }

    Haven’t tried it for anything but the single account case calling from Python. The EC2 service parameter is left over from the earlier state of the trust relationship file before I added the AWS user ARNs. No wildcard for users.

    Reply

  3. Hi Max,
    I’ve come across this issue today, turns out the issue was related to attempting to deploy a lambda function, which had references to another cross-account role in the template.yaml file. I was using this role to specifically allow Lambda function accesses to backend services.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s