com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)

Jenkins JIRA | Alex Gray | 11 months ago
  1. 0

    When using "use instance credentials" I get the following exception: =========================== Starting lambda deployment procedure Copying zip file File Name: awslambda-942813613263363530.zip Absolute Path: /tmp/awslambda-942813613263363530.zip File Size: 10388 Lambda function existence check: {FunctionName: alex_test,} Lambda function does not exist Lambda create function request: {FunctionName: alex_test,Runtime: python2.7,Role: arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest,Handler: lambda_handler,Code: {ZipFile: java.nio.HeapByteBuffer[pos=0 lim=10388 cap=10388],},Description: Hipchat PR Digest,Timeout: 60,MemorySize: 256,Publish: true} com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166) at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1239) at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:823) at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:506) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:318) at com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:1925) at com.amazonaws.services.lambda.AWSLambdaClient.createFunction(AWSLambdaClient.java:686) at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.createLambdaFunction(LambdaDeployService.java:162) at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.deployLambda(LambdaDeployService.java:82) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploader.upload(LambdaUploader.java:51) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:81) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:66) at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785) at hudson.model.Build$BuildExecution.build(Build.java:205) at hudson.model.Build$BuildExecution.doRun(Build.java:162) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:408) Build step 'AWS Lambda deployment' changed build result to FAILURE Finished: FAILURE =========================== The jenkins node that is running that this job has all the credentials it needs to talk to lambda. For instance, I can create a function via the AWS CLI: # aws lambda create-function --function-name alex-foo --runtime python2.7 --role arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest --handler lambda_handler --region us-west-2 --zip-file fileb://foo.zip { "FunctionName": "alex-foo", "CodeSize": 170, "MemorySize": 128, "FunctionArn": "arn:aws:lambda:us-west-2:763429161784:function:alex-foo", "Handler": "lambda_handler", "Role": "arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest", "Timeout": 3, "LastModified": "2016-01-15T14:44:20.353+0000", "Runtime": "python2.7", "Description": "" } The IAM policy on the instance has full lambda and iam:PassRole (This role also has a trust relationship with another account, which may play a role in this error): { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1452706481000", "Effect": "Allow", "Action": [ "lambda:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ] } ] }

    Jenkins JIRA | 11 months ago | Alex Gray
    com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)
  2. 0

    When using "use instance credentials" I get the following exception: =========================== Starting lambda deployment procedure Copying zip file File Name: awslambda-942813613263363530.zip Absolute Path: /tmp/awslambda-942813613263363530.zip File Size: 10388 Lambda function existence check: {FunctionName: alex_test,} Lambda function does not exist Lambda create function request: {FunctionName: alex_test,Runtime: python2.7,Role: arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest,Handler: lambda_handler,Code: {ZipFile: java.nio.HeapByteBuffer[pos=0 lim=10388 cap=10388],},Description: Hipchat PR Digest,Timeout: 60,MemorySize: 256,Publish: true} com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166) at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1239) at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:823) at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:506) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:318) at com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:1925) at com.amazonaws.services.lambda.AWSLambdaClient.createFunction(AWSLambdaClient.java:686) at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.createLambdaFunction(LambdaDeployService.java:162) at com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.deployLambda(LambdaDeployService.java:82) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploader.upload(LambdaUploader.java:51) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:81) at com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:66) at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785) at hudson.model.Build$BuildExecution.build(Build.java:205) at hudson.model.Build$BuildExecution.doRun(Build.java:162) at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537) at hudson.model.Run.execute(Run.java:1741) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:98) at hudson.model.Executor.run(Executor.java:408) Build step 'AWS Lambda deployment' changed build result to FAILURE Finished: FAILURE =========================== The jenkins node that is running that this job has all the credentials it needs to talk to lambda. For instance, I can create a function via the AWS CLI: # aws lambda create-function --function-name alex-foo --runtime python2.7 --role arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest --handler lambda_handler --region us-west-2 --zip-file fileb://foo.zip { "FunctionName": "alex-foo", "CodeSize": 170, "MemorySize": 128, "FunctionArn": "arn:aws:lambda:us-west-2:763429161784:function:alex-foo", "Handler": "lambda_handler", "Role": "arn:aws:iam::763429161784:role/lambda_hipchat_pr_digest", "Timeout": 3, "LastModified": "2016-01-15T14:44:20.353+0000", "Runtime": "python2.7", "Description": "" } The IAM policy on the instance has full lambda and iam:PassRole (This role also has a trust relationship with another account, which may play a role in this error): { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1452706481000", "Effect": "Allow", "Action": [ "lambda:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "*" ] } ] }

    Jenkins JIRA | 11 months ago | Alex Gray
    com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)
  3. 0

    [JIRA] [aws-lambda-plugin] (JENKINS-32475) Cross-account pass role is not allowed when using instance credentials

    Google Groups | 11 months ago | grayaii@gmail.com (JIRA)
    com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    HTTP Proxy Integration with RAML Config

    GitHub | 1 year ago | spencerfdavis
    com.amazonaws.AmazonServiceException: (Service: null; Status Code: 500; Error Code: null; Request ID: 1627c293-9917-11e5-9a05-3738b38200c6)
  6. 0

    Jobs: Do not log AWS rate limit exceedance as ERROR

    GitHub | 11 months ago | harti2006
    com.amazonaws.AmazonServiceException: Request limit exceeded. (Service: AmazonEC2; Status Code: 503; Error Code: RequestLimitExceeded; Request ID: aa4ebff3-6965-42f5-8bba-a4d33e479896)

  1. aldrinleal 1 times, last 4 months ago
  2. tyson925 3 times, last 5 months ago
41 unregistered visitors
Not finding the right solution?
Take a tour to get the most out of Samebug.

Tired of useless tips?

Automated exception search integrated into your IDE

Root Cause Analysis

  1. com.amazonaws.AmazonServiceException

    Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: null; Request ID: bb814e04-bb96-11e5-88fa-b56203d5b166)

    at com.amazonaws.http.AmazonHttpClient.handleErrorResponse()
  2. AWS SDK for Java - Core
    AmazonHttpClient.execute
    1. com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:1239)
    2. com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:823)
    3. com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:506)
    4. com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:318)
    4 frames
  3. AWS Java SDK for AWS Lambda
    AWSLambdaClient.createFunction
    1. com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:1925)
    2. com.amazonaws.services.lambda.AWSLambdaClient.createFunction(AWSLambdaClient.java:686)
    2 frames
  4. com.xti.jenkins
    LambdaUploadBuildStep.perform
    1. com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.createLambdaFunction(LambdaDeployService.java:162)
    2. com.xti.jenkins.plugin.awslambda.service.LambdaDeployService.deployLambda(LambdaDeployService.java:82)
    3. com.xti.jenkins.plugin.awslambda.upload.LambdaUploader.upload(LambdaUploader.java:51)
    4. com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:81)
    5. com.xti.jenkins.plugin.awslambda.upload.LambdaUploadBuildStep.perform(LambdaUploadBuildStep.java:66)
    5 frames
  5. Hudson
    Executor.run
    1. hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45)
    2. hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:785)
    3. hudson.model.Build$BuildExecution.build(Build.java:205)
    4. hudson.model.Build$BuildExecution.doRun(Build.java:162)
    5. hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
    6. hudson.model.Run.execute(Run.java:1741)
    7. hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
    8. hudson.model.ResourceController.execute(ResourceController.java:98)
    9. hudson.model.Executor.run(Executor.java:408)
    9 frames