@shinyaz

Lambda Managed Instances operator role requires AWSLambdaManagedEC2ResourceOperator

1 min read
#aws#lambda#iam

Set up a Capacity Provider with an operator role for Lambda Managed Instances, ran publish-version, and the version went to Failed.

Output
"StateReason": "The function's execution role doesn't have permission to perform this operation.",
"StateReasonCode": "InsufficientRolePermissions"

The error gives no hint about which permission is missing. I escalated from AmazonEC2FullAccessAWSLambda_FullAccessAdministratorAccess — all failed with the same error.

The answer is AWSLambdaManagedEC2ResourceOperator, a dedicated managed policy.

Terminal
aws iam attach-role-policy --role-name MyOperatorRole \
  --policy-arn arn:aws:iam::aws:policy/AWSLambdaManagedEC2ResourceOperator

The Getting Started guide documents this, but the error message won't lead you there. Generic EC2 permissions likely don't cover the internal operations Lambda uses (instance profiles, network config, etc.).

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more