I got the error "The role defined for the function cannot be assumed by Lambda" because i had not updated the roles "Trust Relationship" config file. I didn't encounter the timeout issues as in the linked answer in the comments.

我收到错误消息“Lambda 无法承担为该函数定义的角色”，因为我没有更新角色“信任关系”配置文件。我没有遇到评论中链接答案中的超时问题。

The comments in the above answers pointed out that you need to add the following.

上述答案中的评论指出，您需要添加以下内容。

1. Go to 'IAM > Roles > YourRoleName'
   • (Note: if your role isn't listed, then you need to create it.)
2. Select the 'Trust Relationships' tab
3. Select 'Edit Trust Relationship'

1. 转到“IAM > 角色 > YourRoleName”
   • （注意：如果您的角色未列出，则您需要创建它。）
2. 选择“信任关系”选项卡
3. 选择“编辑信任关系”

Mine ended up like the below.

我的结果如下。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      <your other rules>
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I'm also encountering this error. Have not got a definitive answer (yet) but figured I'd pass along a couple of hints that may help you and/or anyone else hitting this problem.

我也遇到这个错误。还没有得到明确的答案（还），但我想我会传递一些提示，可以帮助您和/或其他任何人解决这个问题。

A) If you build the Role ARN by putting together your account ID and role name, I think the account ID needs to be without any dashes

A) 如果您通过将您的帐户 ID 和角色名称放在一起来构建角色 ARN，我认为帐户 ID 需要没有任何破折号

B) If you just created the role, and possibly added policies to it, there seems to be a (small) window of time in which the role will trigger this error. Sleeping 5 or 6 seconds between the last operation on the role and the create-function call allowed me to bypass the issue (but of course, the timing may be variable so this is at best a work-around).

B) 如果您刚刚创建了该角色，并且可能向其添加了策略，则该角色似乎有一个（小）时间窗口会触发此错误。在角色的最后一次操作和 create-function 调用之间休眠 5 或 6 秒使我能够绕过这个问题（但当然，时间可能是可变的，所以这充其量只是一种解决方法）。

For me, the issue was that I had an incomplete name for the role. I set

对我来说，问题是我的角色名称不完整。我设置

--role arn:aws:iam::000000000000:role/MyRoleName

when it should have been

什么时候应该

--role arn:aws:iam::000000000000:role/service-role/MyRoleName

^{(of course my aws id isn't actually 000000000000)}

^{（当然，我的 aws id 实际上不是 000000000000）}

I discovered this by running

我通过运行发现了这一点

aws iam get-role --role-name MyRoleName

and looking at the "Arn"property in the result set.

并查看"Arn"结果集中的属性。

For me, the issue was that I had set the wrong default region environment key.

对我来说，问题是我设置了错误的默认区域环境键。

Had the same issue although my IAM role did have the right policy and trust relationship. Lambda creation worked fine when done through CLI the problem was when using lambda module after just creating the IAM role.

尽管我的 IAM 角色确实有正确的政策和信任关系，但遇到了同样的问题。通过 CLI 创建 Lambda 工作正常，问题是在创建 IAM 角色后使用 lambda 模块时。

I also tried to "pause" for few seconds but it didn't help.

我也试图“暂停”几秒钟，但没有帮助。

Ended up adding retry and delay until registerdLambda.code was defined. Usually it works after 1-2 tries.

最终添加重试和延迟，直到定义了 registerdLambda.code。通常它会在 1-2 次尝试后起作用。

example:

例子：

 - name: creating lambda function
   lambda:
     state: present
     name: "{{ lambdaName }}"
     zip_file: "{{ lambdaZipFile }}"
     runtime: "{{ lambdaRuntime }}"
     role: "{{ lambdaRole }}"
     description: "{{ lambdaDescription }}"
     handler: "{{ lambdaHandler }}"
   register: lambdaFunc
   retries: 3
   delay: 10
   until: "{{ lambdaFunc.code is defined }}"

Most people end up in this error because of giving the wrong Role ARN in CloudFormation while creating the Lambda Function.

大多数人最终会遇到此错误，因为在创建 Lambda 函数时在 CloudFormation 中提供了错误的角色 ARN。

Make sure the role is completed first by using "DependsOn" and use the intrinsic function """{ "Fn::GetAtt" : [ "your-role-logical-name", "Arn" ] }"""

确保首先使用“DependsOn”完成角色并使用内部函数“”“{“Fn::GetAtt”:[“your-role-logical-name”,“Arn”]}“””

I was running into this error with terraform and needed to add an assume role policy and apply it to the role that lambda assumes.

我在使用 terraform 时遇到了这个错误，需要添加一个代入角色策略并将其应用于 lambda 代入的角色。

data "aws_iam_policy_document" "lambda_assume_role_policy" {

  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = [
        "lambda.amazonaws.com"
      ]
    }
  }

resource "aws_iam_role" "lambda_rotation_role" {
  name               = "lambda-rotation-role"
  assume_role_policy = "${data.aws_iam_policy_document.lambda_assume_role_policy.json}"
}

I am just learning to use the AWS CLI and ran into this issue.

我刚刚学习使用 AWS CLI 并遇到了这个问题。

I am using a series of PowerShell scripts to deploy an entire AWS architecture. My createRole.ps1script contains:

我正在使用一系列 PowerShell 脚本来部署整个 AWS 架构。我的createRole.ps1脚本包含：

aws iam create-role `
--role-name $roleName `
--assume-role-policy-document file://myRoleTrustPolicy.json

The file myRoleTrustPolicy.jsoncontains:

文件myRoleTrustPolicy.json包含：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "elasticmapreduce.amazonaws.com",
          "datapipeline.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

It is the "lambda.amazonaws.com"line that was missing from Service list that was causing the issue.

导致该问题的是服务列表中缺少的“lambda.amazonaws.com”行。

Once I fixed that, the invocation of aws lambda create-functionworked great.

一旦我解决了这个问题，aws lambda create-function的调用就很好用。

aws lambda create-function `
--function-name $fn `
--runtime java8 `
--role $currentRoleARN `
--handler "handleRequest" `
--memory-size 128 `
--zip-file $jarFile