How do I resolve the "Lambda could not update the function's execution role" error when attaching RDS Proxy to a Lambda function?

Last updated: 2020-10-21

I get a "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to an AWS Lambda function. How do I fix the error?

Short description

The "Lambda could not update the function's execution role" error can occur for three reasons:

  • The Lambda execution role has more than one trusted entity associated with it.
  • The Lambda function's execution role has 10 policies attached to it.
  • The logged in AWS Identity and Access Management (IAM) user doesn't have "CreatePolicy" and "AttachRolePolicy" permission.

Resolution

The Lambda execution role has more than one trusted entity associated with it

Verify that just the Lambda service (lambda.amazonaws.com) can assume the Lambda function's execution role.

Note: To have the same role assumed by other services, create a new role and configure those services as its trusted entities.

The Lambda function's execution role has 10 policies attached to it

Create a single, custom policy to replace the existing ones.

Note: If the execution role has 10 policies attached, the Lambda function can't create and attach the required RDS Proxy policy to the role.

Sample RDS Proxy policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "Proxy ARN"
        }
    ]
}

The logged in IAM user doesn't have "CreatePolicy" and "AttachRolePolicy" permission

Grant the logged in IAM user "CreatePolicy" and "AttachRolePolicy" permission.

Note: If the logged in IAM user doesn't have the required permissions, the Lambda console will display one or both of the following errors:

  • "User <user-arn> is not authorized to perform: iam:CreatePolicy on resource: policy <policy-name>"
  • "User <user-arn> is not authorized to perform: iam:AttachRolePolicy on resource: role <role-name>"

Did this article help?


Do you need billing or technical support?