The Problem: You’ve created a Lambda function that you want to run on a CloudFront distribution as a Lambda@Edge function. When you go to create the function you’re hit with a permissions error complaining about the execution role-

Your function’s execution role must be assumable by the edgelambda.amazonaws.com service principle.

The Fix: You need to update the lambda function’s role definition, and explictly add edgelambda.amazonaws.com as a trusted service principle, which do from IAM, modifying the Trust Relationship of the function’s Role.


The fix in actual steps to follow

  1. Jump over the Identity and Access Management (IAM) Service, and then the Roles area.
  2. Find the specific role your lambda function is running under (in our case, we’ve created a new one called Fix-s3-Cors-Vary-Headers)
  3. In the Role, move to the Trust Relationships tab, and then Edit trust relationship
  4. On the Edit Trust Relationship page, you’ll see a Policy Document block.

Modify it so the Statement > Principle > Service in an array that includes the edge lambda service.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "Service": [
               "lambda.amazonaws.com",
               "edgelambda.amazonaws.com"
            ]
         },
         "Action": "sts:AssumeRole"
      }
   ]
}

Note: A default service will have just one record for lambda.amazonaws.com in the Service block, and it will be a single object. Make sure you convert that block into an array to avoid syntax errors.


In Screenshots because the AWS Dashboard is a nightmare

  1. The Error message you’ll see: Error message shown when deploying to labmda@edge

  2. The IAM Roles Area The IAM Roles area

  3. The Specific Role’s Trust Relationship’s tab The IAM Roles area

  4. The Updated (fixed) policy The Fixed trust policy for the lambda role

  5. The Fixed trust relationships, now with the edgelambda.amazonaws.com record included in the Trusted entities list The trust relationships now show the updated record


With the updated trust record you should now be able to assign your Lambda function to run on Lambda@Edge.