If you are trying to get an AWS Lambda added attached to a VPC, but get the error message:

The provided execution role does not have permissions to call CreateNetworkInterface on EC2

There are 3 ways to solve this problem

Below we will look at 3 different options when it comes to solving this problem:

  1. Fix the problem in Terraform
  2. Fix the problem in CloudFormation / SAM
  3. Fix the problem Manually in the AWS Console

How to fix the problem in Terraform

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
  role       = aws_iam_role.lambda.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

How to fix the problem in CloudFormation

Type: "AWS::IAM::Role"
Properties:
  RoleName: "lambda-with-vpc-access"
  ManagedPolicyArns:
    - "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
  AssumeRolePolicyDocument:
    Version: "2012-10-17"
    Statement:
      - Effect: Allow
        Action:
          - sts:AssumeRole
        Principal:
          Service:
            - lambda.amazonaws.com

How to fix this problem Manually in the AWS Console

Then you can resolve this by adding a custom Inline Policy to the Lambda execution role under the Permissions tab.

Step 1

Under the Lambda you want to adjust, click Permissions and select the role under Execution role.

Click the link to open the role in IAM.

Step 2

Then click Add inline policy:

Step 3

Then click JSON:

Step 4

Now Add the JSON below into the textarea and click Review policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

Step 5

Finally provide a policy name and click Create policy:

Conclusion

You will now be able to attach your Lambda to a VPC without the error.

By following the above, you will have resolved the the provided execution role does not have permissions to call createnetworkinterface on ec2 error from before.

Sometimes, the above error is directly seen on AWS Lambda itself, this will then be shown to you as lambda the provided execution role does not have permissions to call createnetworkinterface on ec2.

The good news is that the same guide above will resolve all createnetworkinterface on ec2 permission` issues.