无法修复“提供的执行角色无权在 EC2 上调用 CreateNetworkInterface”

Question

我尝试了此答案中的解决方案，但对我不起作用。我收到错误：

提供的执行角色无权调用 EC2 上的 CreateNetworkInterface（服务：AWSLambdaInternal；状态代码：400；错误代码：InvalidParameterValueException；请求 ID：4c8d047c-2710-4334-86cd-51b7467c6f08）

这是与错误相关的 CloudFormation：

EventLambdaFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub ${DeveloperPrefix}event-lambda-${Environment}-${DeployPhase}
      Handler: EventHandler
      Runtime: java8
      Code:
        S3Bucket: !Ref SharedBucketName
        S3Key: !Sub ${WorkspacePrefix}/event-subscriber-${AppVersion}.jar
        S3ObjectVersion: !Ref EventLambdaS3Version
      Role: !GetAtt EventLambdaRole.Arn
      Environment:
        Variables:
          retry_event_table_name: !Sub "${DeveloperPrefix}${AppName}-${RetryEventTableName}-${Environment}-${DeployPhase}"
          test_enabled: true # TODO: Remove once endpoint provided.
      VpcConfig:
        SecurityGroupIds:
          - !Ref LambdaSecurityGroup
        SubnetIds:
          - Fn::ImportValue: !Sub ${VPCStackName}-SubnetPrivateL
          - Fn::ImportValue: !Sub ${VPCStackName}-SubnetPrivateR
      Timeout: 28
      MemorySize: 256

  EventLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${DeveloperPrefix}${AppName}-${Environment}-${DeployPhase}-EventLambdaRole
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [lambda.amazonaws.com]
            Action: ['sts:AssumeRole']
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: !Sub ${DeveloperPrefix}${AppName}-${Environment}-${DeployPhase}-EventLambdaPolicy
          PolicyDocument:
            Statement:
              - Sid: DynamoDbPermissions
                Effect: Allow
                Action:
                  - dynamodb:PutItem
                Resource: !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${DeveloperPrefix}${AppName}-EventRetry-${Environment}-${DeployPhase}'
              - Sid: LambdaVPCPermissions
                Effect: Allow
                Action:
                  - ec2:AttachNetworkInterface
                  - ec2:CreateNetworkInterface
                  - ec2:CreateNetworkInterfacePermission
                  - ec2:DeleteNetworkInterface
                  - ec2:DeleteNetworkInterfacePermission
                  - ec2:DescribeDhcpOptions
                  - ec2:DescribeNetworkInterfaces
                  - ec2:DescribeNetworkInterfacePermissions
                  - ec2:DescribeSubnets
                  - ec2:DescribeVpcs
                  - ec2:DescribeInstances
                Resource: '*'

我已经搜索了这个问题的答案，并尝试了几个找到的建议，但无济于事。我犯了什么明显的错误？我担心我现在只见树木不见森林。

Answer 1

由于 lambda 在 VPC 中运行，您可以使用AWSLambdaVPCAccessExecutionRole代替AWSLambdaBasicExecutionRole。理想情况下，它应该与您拥有的相同。从开发运营的角度来看，一个优势是更少的维护工作。