How do I resolve the "Lambda could not update the function's execution role" error when attaching Amazon RDS Proxy to a Lambda function?

Last updated: 2021-12-08

When I try to attach Amazon RDS Proxy to an AWS Lambda function, I get the following error message: "Lambda could not update the function's execution role". How do I resolve the error?

Short description

Lambda can return the Lambda could not update the function's execution role error for the following reasons:

  • The Lambda execution role has more than one trusted entity associated with it.
  • The Lambda function's execution role has 10 policies attached to it.
  • The logged in AWS Identity and Access Management (IAM) user doesn't have "CreatePolicy" and "AttachRolePolicy" permissions.

Resolution

Verify that the Lambda function's execution role has only one trusted entity associated with it

Review your function's execution role and verify that only the Lambda service (lambda.amazonaws.com) can assume the role.

Note: To have the same role assumed by other services, create a new role and configure those services as its trusted entities.

Verify that the Lambda function's execution role doesn't have 10 policies attached to it

Review your function's execution role to determine whether there are 10 policies attached to it. If the role does have 10 policies attached to it, then create a single, custom policy to replace the existing ones.

Note: If the execution role has 10 policies attached, then the Lambda function can't create and attach the required RDS Proxy policy to the role.

Sample RDS Proxy policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "Proxy ARN"
        }
    ]
}

Verify that the logged in IAM user has "CreatePolicy" and "AttachRolePolicy" permissions

Review the logged in IAM user's IAM policy and verify that the policy includes "CreatePolicy" and "AttachRolePolicy" permissions. If the user's policy doesn't include the required permissions, then grant the user "CreatePolicy" and "AttachRolePolicy" permissions.

Note: If the logged in IAM user doesn't have the required permissions, then the Lambda console displays one or both of the following errors:

  • "User <user-arn> is not authorized to perform: iam:CreatePolicy on resource: policy <policy-name>"
  • "User <user-arn> is not authorized to perform: iam:AttachRolePolicy on resource: role <role-name>"

 


Did this article help?


Do you need billing or technical support?