WarmLambdaFunction, TorchLambdaFunction dose not use my configured role

question

#1

Hello. I use vpc and I try to deploy.
But it was failed because my credential needed to add more permission.
So I add more roles but I failed again, cuz my functions needed to add more permission.
But my function used the role built by Jets Framework. So I setup config.function.role from application.rb like below code.

config.function.role = "arn:aws:iam::#{Jets.aws.account}:role/pongdang-prod-service-role"

But It was failed again. Cuz WarmLambdaFunction, TorchLambdaFunction needed to add more permission, too. But I can not find prewarm function also use to my custom role.

How can I set prewarm function also use my custom role?


#2

@say8425 Good question. Added the ability to adjust the IAM policy associated with the PreheatJob: https://github.com/tongueroo/jets/pull/290 Released in v1.9.15.

Added some docs to https://rubyonjets.com/docs/iam-policies/ its under the Prewarm Job IAM Policy section.

Though others have used vpc, haven’t used vpc yet myself. So unsure what extra permissions are needed. Interested in what you end up using. It would be nice if Jets just figured it out and adjusted the IAM policy automatically. Until then the ability to customize the Prewarm Job IAM Policy should help.

Here’s an example that adds ec2.

Jets.application.configure do |config|
  # ...
  config.prewarm_job_iam_policy = [
    Jets::Application.default_prewarm_job_iam_policy,
    "ec2"
  ]
end

#3

@say8425 Realized that a better way is to adjust the application-wide IAM Policy. So there’s no need for an additional prewarm_job_iam_policy. Got rid of config.prewarm_job_iam_policy in v1.9.16

Instead use:

Jets.application.configure do |config|
  # ...
  config.iam_policy = [
    Jets::Application.default_iam_policy,
    "ec2"
  ]
end

#4

How fast! Thank you so very much.
By the way, I did not share what extra permissions are needed to use vpc.
So I write the permissions that I need to use vpc.
This permissions can be found from the AWS CloudFormation event log

"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",

#5

@say8425 Thanks so much for the IAM permissions! It saved me time from figuring it out.

Implemented automatic VPC-related IAM permissions in this PR: https://github.com/tongueroo/jets/pull/296 Released in v1.9.19 :tada:

Learned more about Lambda and VPCs so put together this doc for others :+1:

https://rubyonjets.com/docs/considerations/vpc/


Something special about environment named 'dev'?