如何在 VPC 中为 AWS Lambda 设置 IAM 策略以解决错误 "You are not authorized to perform: CreateNetworkInterface."

How to setup IAM policy for AWS Lambda in VPC to resolve error "You are not authorized to perform: CreateNetworkInterface."

我正在尝试设置我的 Lambda 以在其中一个 EC2 instances in VPC 上访问我的 Mongo server。选择所有 subnetssecurity groups 后,保存时出现以下错误 “您无权执行:CreateNetworkInterface。

我相信,我需要在 AWS IAM 中设置某种策略来允许这样做。

I have "AdministratorAccess" and I am trying to add IAM role to my account.

有人知道policy/role我需要什么吗?

明白了!!!如果错误消息显示 "This Lambda function is not authorized to perform: CreateNetworkInterface",那么需要使用适当的策略修改 Lambda 角色会更有意义。 通过将策略添加到 Lambda 使用的角色来解决问题:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:CreateNetworkInterface",
                "ec2:AttachNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "autoscaling:CompleteLifecycleAction"
            ]
        }
        ]
}

有必要为 lambda 提供策略操作:

NetworkLambdaRole:
 Type: "AWS::IAM::Role"
 Properties:
   RoleName: "Network-Lambda-Role"
   AssumeRolePolicyDocument:
     Version: '2012-10-17'
     Statement:
     -
       Effect: "Allow"
       Principal:
         Service:
         - "lambda.amazonaws.com"
       Action:
       - "sts:AssumeRole"
   Policies:
   - PolicyName: "network-lambda-role-policy"
     PolicyDocument:
       Version: '2012-10-17'
       Statement:
       - Effect: "Allow"
         Action: [
           "ec2:DescribeInstances",
           "ec2:CreateNetworkInterface",
           "ec2:AttachNetworkInterface",
           "ec2:DescribeNetworkInterfaces",
           "ec2:DeleteNetworkInterface"
         ]
         Resource: "*"

注意:blueskin 的回答缺少政策 ec2:DeleteNetworkInterfaces