AWS Lambda: Cross-account pass role is not allowed.

Today I came across the following exception while working with the AWS SDK for Amazon Lambda:

com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: xxx)

At first I was a bit puzzled where this exception might come from; but when I found out what the problem was, it seemed to be pretty obvious:

I tried to upload a service to one AWS account while specifying an execution role that belonged to another AWS account.

So that could easily be fixed by providing a role belonging to the correct account!

UPDATE

As mentioned in the comments by rjhintz, if you require the to use the role from another user, you can do so by modifying the policy for the role as follows:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "arn:aws:iam::123456789012:user/user1",
               "arn:aws:iam::123456789012:user/user2"
            ],
            "Service":"ec2.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

4 thoughts on “AWS Lambda: Cross-account pass role is not allowed.

  1. I wonder if you could still use the other account if you explicitly added a trust relationship to the account/user in the role’s IAM trust policy.

    1. That’s a good point! Have you tried it?

      That would probably mean to add something like the following to the policy?

      {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::AWS account ID that contains the role:role/role name"
      }

  2. In IAM for a role, under Trust Relationship, you could try adding something like this for each user who will call the function, substituting the account number(s), user name(s), and service name(s)


    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": [
    "arn:aws:iam::123456789012:user/user1",
    "arn:aws:iam::123456789012:user/user2"
    ],
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }

    Haven’t tried it for anything but the single account case calling from Python. The EC2 service parameter is left over from the earlier state of the trust relationship file before I added the AWS user ARNs. No wildcard for users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s