エラーの解決方法について　AccessDeniedException : Cross-account pass role is not allowed.

boto3でlambdaを作成する箇所でエラーが出ています。
Roleの指定に問題がある気がするのですが、どう変更したらいいのかわからず困っています。(ちなみに、Profileは関係あったりするのでしょうか？)
教えていただけると嬉しいです。
エラーと、元のコードは下記になります。

_______________________________________________ test_update_exception_list ________________________________________________

mocker = <pytest_mock.plugin.MockerFixture object at 0x7f793ca46640>

    @mock_s3
    def test_update_exception_list(mocker):
        setup_env(mocker)
        setup_mock(mocker)
>       setup_lambda(mocker, "amsui_action_list")

tests/test_action.py:372: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/.pyenv/versions/3.9.10/lib/python3.9/site-packages/moto/core/models.py:120: in wrapper
    result = func(*args, **kwargs)
tests/test_action.py:83: in setup_lambda
    res = lm.create_function(
/.pyenv/versions/3.9.10/lib/python3.9/site-packages/botocore/client.py:508: in _api_call
    return self._make_api_call(operation_name, kwargs)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

self = <botocore.client.Lambda object at 0x7f793d0a1130>, operation_name = 'CreateFunction'
api_params = {'Code': {'ZipFile': b'PK\x03\x04\x14\x00\x00\x00\x08\x00\xb71\x10UTC\xfax3\x00\x00\x006\x00\x00\x00\x12\x00\x00\x00la...t lambda function', 'FunctionName': 'amsui-devdev-amsui_action_list', 'Handler': 'lambda_function.lambda_handler', ...}

    def _make_api_call(self, operation_name, api_params):
        operation_model = self._service_model.operation_model(operation_name)
        service_name = self._service_model.service_name
        history_recorder.record(
            'API_CALL',
            {
                'service': service_name,
                'operation': operation_name,
                'params': api_params,
            },
        )
        if operation_model.deprecated:
            logger.debug(
                'Warning: %s.%s() is deprecated', service_name, operation_name
            )
        request_context = {
            'client_region': self.meta.region_name,
            'client_config': self.meta.config,
            'has_streaming_input': operation_model.has_streaming_input,
            'auth_type': operation_model.auth_type,
        }
        request_dict = self._convert_to_request_dict(
            api_params, operation_model, context=request_context
        )
        resolve_checksum_context(request_dict, operation_model, api_params)
    
        service_id = self._service_model.service_id.hyphenize()
        handler, event_response = self.meta.events.emit_until_response(
            'before-call.{service_id}.{operation_name}'.format(
                service_id=service_id, operation_name=operation_name
            ),
            model=operation_model,
            params=request_dict,
            request_signer=self._request_signer,
            context=request_context,
        )
    
        if event_response is not None:
            http, parsed_response = event_response
        else:
            apply_request_checksum(request_dict)
            http, parsed_response = self._make_request(
                operation_model, request_dict, request_context
            )
    
        self.meta.events.emit(
            'after-call.{service_id}.{operation_name}'.format(
                service_id=service_id, operation_name=operation_name
            ),
            http_response=http,
            parsed=parsed_response,
            model=operation_model,
            context=request_context,
        )
    
        if http.status_code >= 300:
            error_code = parsed_response.get("Error", {}).get("Code")
            error_class = self.exceptions.from_code(error_code)
>           raise error_class(parsed_response, operation_name)
E           botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the CreateFunction operation: Cross-account pass role is not allowed.

/.pyenv/versions/3.9.10/lib/python3.9/site-packages/botocore/client.py:915: ClientError

エラーが出ている箇所は　res = lm.create_function(　です。

Python
1@mock_lambda
2def setup_lambda(mocker, function_name):
3    lm = boto3.client("lambda", ENV["region"])
4    code = """
5def lambda_handler(event, context):
6    return event
7"""
8    app = ENV["app"]
9    stg = ENV["stg"]
10    name = function_name
11
12    res = lm.create_function(
13        FunctionName=f"{app}-{stg}-{name}",
14        Runtime='python3.9',
15        Role='arn:aws:iam::111122223333:role/test-iam-role',
16        Handler='lambda_function.lambda_handler',
17        Code={
18            'ZipFile': get_function_zip(code),
19        },
20        Description='test lambda function',
21        Timeout=3,
22        MemorySize=128,
23        Publish=True,
24    )
25
26    return res

行動規範の内容に同意します

回答1件

自己解決

こちらのサイトを参考に
https://stackoverflow.com/questions/65352927/mocking-a-lambda-response-with-moto
下記のコードで作成したRoleをCreate_Functionで指定したら成功しました。

Python
1def get_role_name():
2    with mock_iam():
3        iam = boto3.client("iam", region_name=_lambda_region)
4        try:
5            return iam.get_role(RoleName="my-role")["Role"]["Arn"]
6        except ClientError:
7            return iam.create_role(
8                RoleName="my-role",
9                AssumeRolePolicyDocument="some policy",
10                Path="/my-path/",
11            )["Role"]["Arn"]