small medium large xlarge

Generic-user-small
12 Jun 2016, 20:59
Chris Greene (6 posts)

This is an FYI for anyone else that runs into the issue and maybe so the sspa script will get an enhancement.

Everytime I tried to run ./sspa create_service conf/lambda/functions/echo I would get the error:

Waiting for IAM Role to become available……done! A client error (InvalidParameterValueException) occurred when calling the CreateFunction >operation: The role defined for the function cannot be assumed by Lambda.

I modified the sspa script to print out the command to create the lambda function: aws --profile admin lambda create-function --function-name echo --role arn:aws:iam::258561304414:role/learnjs_lambda_exec --zip-file fileb://services/archive.zip --handler index.echo --cli-input-json file://conf/lambda/functions/echo/config.json > conf/lambda/functions/echo/info.json

Everything looked good and when I ran the command by itself it worked. As a temporary fix I added a wait before creating the lambda function and it seems to work now.

function create_lambda_service() {
  local service_dir=${1%/}
  local function_name=$(basename $service_dir)
  create_iam_role lambda_exec "file://conf/iam/policies/lambda_trust.json"
  echo -n "Waiting for IAM Role to become available..."
  local role_arn=$(support/jsed.py conf/iam/roles/${app_name}_lambda_exec/info.json 'Role.Arn')
  while ! aws --profile $profile iam get-role --role-name ${app_name}_lambda_exec &> /dev/null; do
    echo -n .
  done
  echo "...done!"
  sleep 5

  if [[ ! -e ${service_dir}/info.json ]]; then
    aws --profile $profile lambda create-function \
Benrady-avatar_pragsmall
12 Jun 2016, 21:49
Ben Rady (62 posts)

Almost seems like like aws command line tool wasn’t returning the proper error code when it failed. I don’t suppose you have a way to reproduce it?

Generic-user-small
13 Jun 2016, 02:04
Chris Greene (6 posts)

I can reproduce it every time by taking out the sleep 5. I’m not too familiar with the aws command so I’m not sure how to get the error code, but I could modify the script to capture the exit code of the aws command in the $? variable. Would that work? If not, I can try whatever you want. Thanks.

Benrady-avatar_pragsmall
13 Jun 2016, 02:24
Ben Rady (62 posts)

Trying taking out the redirect to /dev/null, like so:

while ! aws –profile $profile iam get-role –role-name ${app_name}_lambda_exec; do

What does that print out?

Generic-user-small
13 Jun 2016, 19:47
Chris Greene (6 posts)

I commented out the original and put what you said below that:

function create_lambda_service() {
  local service_dir=${1%/}
  local function_name=$(basename $service_dir)
  create_iam_role lambda_exec "file://conf/iam/policies/lambda_trust.json"
  echo -n "Waiting for IAM Role to become available..."
  local role_arn=$(support/jsed.py conf/iam/roles/${app_name}_lambda_exec/info.json 'Role.Arn')
  #while ! aws --profile $profile iam get-role --role-name ${app_name}_lambda_exec &> /dev/null; do
  while ! aws --profile $profile iam get-role --role-name ${app_name}_lambda_exec; do
    echo -n .
  done
  echo "...done!"

Here are the results:

  adding: node_modules/aws-sdk/testem.json (deflated 7%)
~/workspace/learnjs
Waiting for IAM Role to become available...{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17", 
            "Statement": [
                {
                    "Action": "sts:AssumeRole", 
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    }, 
                    "Effect": "Allow", 
                    "Sid": ""
                }
            ]
        }, 
        "RoleId": "AROAJLSEVYJEZQMS5NXA6", 
        "CreateDate": "2016-06-13T19:37:58Z", 
        "RoleName": "learnjs_lambda_exec", 
        "Path": "/", 
        "Arn": "arn:aws:iam::258561304414:role/learnjs_lambda_exec"
    }
}
...done!

A client error (InvalidParameterValueException) occurred when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.
Benrady-avatar_pragsmall
14 Jun 2016, 17:13
Ben Rady (62 posts)

That looks disappointingly normal. I’m going to have to dig into what would cause that role to not be ready for 5 seconds (even though it has an ID).

Benrady-avatar_pragsmall
21 Jun 2016, 20:30
Ben Rady (62 posts)

I still haven’t found a good way to deal with this. It seems like a bug in the AWS CLI, and I will try to submit an issue upstream.

In the meantime, I’ve moved your workaround up into the master branch. That should hopefully prevent the problem, and the expense of the script taking longer to run.

Generic-user-small
15 Feb 2017, 14:58
Trevor E Hilder (1 post)

I just spent half a day puzzling over why the command:

./sspa create_service conf/lambda/functions/echo

just looped indefinitely with a message:

Waiting for IAM Role to become available……

I am not familiar with python, but I resorted to reading the sspa script and eventually realised that I had to delete the file conf/iam/roles/learnjs_lambda_exec/info.json in order to make this work. If that file exists, the IAM Role never gets created, because the script thinks its existence indicates the Role has already been created. I’m not sure why that file already existed, but this is one to watch!

Regards, Trevor

Benrady-avatar_pragsmall
16 Feb 2017, 01:24
Ben Rady (62 posts)

Sorry to hear that Trevor. Perhaps there’s a way the sspa script could detect this condition.

You must be logged in to comment