I am trying to create a cloud formation stack using AWS Events to trigger an API call on a schedule. Most of the stack is working, however, the AWS::Events::ApiConnection is failing to create and I am not sure why.
This is the CF snippet that is failing: (Note, The API doesn't have any authentication yet, however, cloud formation requires the AuthParameters property)
"CronServerApiConnection": {
"Type": "AWS::Events::Connection",
"Properties": {
"Name": "api-connection",
"AuthorizationType": "API_KEY",
"AuthParameters": {
"ApiKeyAuthParameters": {
"ApiKeyName": "foo",
"ApiKeyValue": "bar"
}
}
}
},
In the cloud formation console this fails to create with the following error:
Resource handler returned message: "Error occurred during operation 'AWS::Events::Connection'." (RequestToken: xxxxxxxxxxxxxxxxx, HandlerErrorCode: GeneralServiceException)
I can't for the life of me figure this one out. from what I can see my CF snippet matches exactly what AWS specify in their docs here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html
I ran into this issue myself a few weeks ago, and while looking for an answer I found this question unresolved so I thought I would share the answer. The events API is not descriptive at all with any of the errors, in my case the issues were permissions related. While is not clear in the documentation the AWS::Events::Connection not only needs permissions for the events API but also for the secretsmanager API since it will create some secrets for you under the hood. I solved this by adding full API permissions to the role creating the stack but of course I scoped the permissions by the resource to avoid security issues, something like:
effects: "Allow"
actions: [
"events:*",
"secretsmanager:*"
]
resources: [
"arn:aws:secretsmanager:<your region>:<your-account-id>:secret:events!connection/<yoursecretnameprefix>-*"
]
I will leave the addition of the event resource to you, but essentially is the same just scope by the arn of your resource. The above is just an example please replace the placeholders with the correct values.
Related
I'm trying to associate an IAM role with by DB Instance as documented here:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Authorizing.IAM.AddRoleToDBCluster.html
I can do it via the UI and see if via:
aws rds describe-db-instances --db-instance-identifier=myInstanceName
...
"AssociatedRoles": [
{
"RoleArn": "arn:aws:iam::123456789123:role/myRoleName",
"FeatureName": "s3Import",
"Status": "ACTIVE"
}
]
...
However I cannot find any reference of how to set this via cloud formation.
I tried setting AssociatedRoles but it fails saying:
Encountered unsupported property AssociatedRoles
I think you can't do it with CloudFormation (unless, of course, you build a custom resource, but if you don't know how to do it already it will be an overkill).
We have developed an AWS Serverless Lambda application using dotnetcore to perform operations on EC2 Instances, say start or stop EC2 instance and integrated with Aws API Gateway.
serverless.template in dotnetcore application
"StartInstanceById" : {
"Type" : "AWS::Serverless::Function",
"Properties": {
"Handler": "EC2_Monitoring_Serverless::EC2_Monitoring_Serverless.Functions::StartInstanceById",
"Runtime": "dotnetcore2.1",
"CodeUri": "",
"MemorySize": 256,
"Timeout": 30,
"Role": "arn:aws:iam::2808xxxx1013:role/lamda_start_stop",
"Policies": [ "AWSLambdaBasicExecutionRole" ],
"Events": {
"PutResource": {
"Type": "Api",
"Properties": {
"Path": "/instances",
"Method": "Get"
}
}
}
}
}
The above Lambda function is working fine for starting ec2 instance when I invoking the API gateway url.
For calling these API's, We have created Angular 6 application and provided authentication using Aws Cognito Userpools.
So the cognito user logins into the website and gets all EC2 informations.
If the user wants to stop / start the EC2 instance, user will click on the particular button which invokes the relevant api gateway url of the lambda functions and It's working fine.
Now the question is who performed that action. After so much of research on stackoverflow and aws community forums for knowing who started or stopped the EC2 instances , I found Aws CloudTrail logs the information when user start or stopped the instance.
So I created a trail and I can see the logs in S3 buckets. But in every log I opened, I saw that the role "arn:aws:iam::2808xxxx1013:role/lamda_start_stop" is captured. I know this is because of the Lambda function. But I want to know who really stopped the instance.
Please advice how to capture user details!
The reason lambda execution role is getting printed in cloudtrail, is because it has initiated the process to stop the ec2 instance. Here the role is assumed (instead of actual user).
To print your actual user, you need to implement logs at your lambda, which will print logs to Cloudwatch. You can get the actual user or any other custom information from those logs.
So I have created a restAPI backend with express.js and have used claudia.js to upload my endpoints to lambda functions and everything went smoothly. The end points work as expected and return the correct information. My only issue is that when I go to my aws console I do not see the lambda functions that were created. I am not sure where this end point is being hosted. Has anyone else had this issue when working with claudia.js?
In your claudia.json file you should see something like:
"lambda": {
"role": "example-role",
"name": "example-test",
"region": "us-west-2"
},
Being us-west-2 Oregon
Is there a way to get event information, specifically the ARN of the service causing the event, to a lambda function?
In my previous question, I asked for some help with using Cloudwatch and Cloudtrail to get the info. I think it was mostly just an misunderstanding of the rules, but now I'm concerned if there is anyway to make a generalized solution.
I know I could do it for a specific service successfully, but I wish to have a generalized rule to trigger the function. Cloudwatch logs or events seem to be the right answer for this, but I'm no longer confident about that with my trouble with my Cloudwatch Cloudtrail rule.
Just to fully lay out my goal, I wish to have a lambda function trigger at the creation of any service and get access to that new services' ARN, so that I may do verification of the process.
Yes, it is possible, however, each event has different event properties, and you need to check where to get this information.
For example, if your lambda is triggered by CloudFormation, you can get the Stack Id (ARN) with event['StackId'].
{
"StackId": stackidarn,
"ResponseURL": "http://pre-signed-S3-url-for-response",
"ResourceProperties": {
"StackName": "stack-name",
"List": [
"1",
"2",
"3"
]
},
"RequestType": "Create",
"ResourceType": "Custom::TestResource",
"RequestId": "unique id for this create request",
"LogicalResourceId": "MyTestResource"
}
You can see details about each event generated in http://docs.aws.amazon.com/lambda/latest/dg/eventsources.html.
If you want to debug in real time to check the event content, you can find some solution like lambda-toolkit
I am using cloudwatch scheduled event to trigger my lambda function after specific time interval. I would like to use cloud-formation template to add this rule in cloudwatch. I have gone through cloudformation templates documentation but I am not able to find out way to configure events using cloud formation template. Can anyone please suggest how to implement it using cloud formation template.
I am using below template.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Provision environment specific",
"Resources": {
"lambdaScheduler": {
"Type": "AWS::CloudWatch::Event",
"Properties": {
"detail-type": "Scheduled Event",
"source": "aws.events",
"name": "TEST_EVENT_10_MINS_RULE",
"schedule-expression": "rate(5 minutes)"
}
}
}
}
I am getting A client error (ValidationError) occurred when calling the ValidateTemplate operation: Template format error: Unrecognized resource type: AWS::CloudWatch::Event error message when I validate it using aws cli.
Adding CloudWatch event rules and schedules in now available, see https://aws.amazon.com/about-aws/whats-new/2016/04/amazon-cloudwatch-events-now-supported-in-aws-cloudformation-templates/
I am pretty sure the CloudWatch Event is yet to be exposed via the CloudFormation API. There is normally some lag between new features in AWS and them being implemented/exposed by the CloudFormation team.
Here is the list of resources currently available via CloudFormation. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
As one can see there is only one resource in the Cloudwatch namespace.
Have you tried laying out your design in the CloudFormation designer? It only creates stub code for each element, but it validates the overall design. You then have to transfer the outline code to an editor to do the real work, but it should avoid the error you quoted.