From the AWS tutorial page on configuring a lifecycle hook:
Before you create a Lambda function, you must first create an
execution role and a permissions policy to allow Lambda to complete
lifecycle hooks.
What is risky or special about completing lifecycle hooks that permissions are needed?
I can't see what is qualitatively different from anything else we configure in EC2. Everything is risky, but we don't need to set roles and permissions.
"completing lifecycle hooks" is actually an API call that your lambda should execute against your ASG:
complete_lifecycle_action - Completes the lifecycle action for the specified token or instance with the specified result.
So your lambda execution role must have permissions to perform such an action. For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "autoscaling:CompleteLifecycleAction",
"Resource": "*"
}
]
}
Related
I'm getting this error message when trying to see the log file in AWS CloudWatch for my AWS Lambda function.
An error occurred while describing log streams.
The specified log group does not exist.
Log group does not exist
The specific log group: /aws/lambda/xxxxx does not exist in this account or region.
By the way, I'm using the Singapore region.
Make sure that your Lambda function's execution role has sufficient permissions to write logs to CloudWatch, and that the log group resource in the IAM policy includes your function's name.
In the IAM console, review and edit the IAM policy for the execution role to make sure that:
The write actions CreateLogGroup and CreateLogStream are allowed. You should attach these policies in the IAM roles of the Lambda function
Note: If you don't need custom permissions for your function, you can attach the managed policy AWSLambdaBasicExecutionRole, which allows Lambda to write logs to CloudWatch.
The AWS Region specified in the Amazon Resource Name (ARN) is the
same as your Lambda function's Region.
The log-group resource includes your Lambda function name. For
example, if your function is named myLambdaFunction, the log-group is
/aws/lambda/myLambdaFunction.
Here is an example of the permissions in the JSON format
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:region:accountId:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
" arn:aws:logs:region:accountId:log-group:/aws/lambda/functionName:*"
]
}
]
}
I have a lambda function that is set up as a trigger on an S3 bucket and it gets called correctly but the lambda function fails when calling S3.getObject.
Do I need to separately set permissions for the lambda function in order to allow it to call getObject on the bucket that triggered the event?
UPDATE:
There seems to be a bug with AWS Amplify that means the S3Trigger bucket permissions get replaced by any API permissions you add. They both create a policy using the same name and it seems whichever gets created last ends up replacing the previous one.
I worked around this by renaming the S3 trigger policy.
Yes you need to provide a Lambda execution role to access your Amazon S3 bucket.
You will can use a policy similar to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*"
]
}
]
See https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/
I want to send message from lambda function to SNS. When I am trying to add destination "SNS" then this error is coming. What are the IAM Policies, i am missing ? I have added AWSLambdaFullAccess and AmazonSNSFullAccess IAM policies.
The issue is not the lambda execution policy, but you (your IAM user) does not have permissions to perform iam:AttachRolePolicy.
The reason is that the lambda will add the following service-role policy to your function execution role, regardless the fact that you already have AmazonSNSFullAccess there:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region:xxxx:testTopic"
}
]
}
You have to add the missing permissions to the IAM user you use when login to the console.
I have a SQS queue and I want to trigger a lambda function when a message arrives in the queue. I have written the lambda function and that works successfully when I click the "Test" button. When I go to SQS and try to configure it as a lambda trigger I see the error message below.
I have created the SQS queue and lambda function using the same user and role and the lambda function has execute permissions against the same role.
I also have also added SQS receiveMessage permission but it doesn't seem to make a difference unless I'm doing something wrong when I set it.
What could be causing the problem?
Thanks for any help
Hi as far as i can understand your lambda needs the following permission on it aws docs
Hope its not in a VPC.
Or may be give it a god mode on sqs:* just for testing it.
If that works maybe later on you can then go for specific methods only. Attached a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:account_number:function:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "*"
}
]
}
Although solution for this may have been achieved by now.. but since this thread was suggested to me at the top.. i will post the answer for other users:
I faced same issue even after giving SQS full access to user. The problem is with the lambda execution role. When lambda is created, it needs to be assigned a lambda execution role. Most users assign the auto-generated execution role while creating lambda. That execution role does not have permissions for SQS.
So open lambda >> Click Permissions tab >> edit execution role at the top >> assign SQS permissions >> boom.
[edit]This is now under Configuration >> Permissions
You need following permissions attached to the role, your lambda assumes
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:GetQueueAttributes
In case you are using Terraform:
data "aws_iam_policy_document" "YOUR_DOCUMENT" {
statement {
sid = "some_id"
actions = [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
]
resources = [
aws_sqs_queue.YOUR_QUEUE.arn
]
}
}
resource "aws_iam_policy" "YOUR_POLICY" {
name = "your_policy"
policy = data.aws_iam_policy_document.YOUR_DOCUMENT.json
}
resource "aws_iam_role_policy_attachment" "POLICY_ATTACHMENT" {
role = aws_iam_role.YOUR_LAMBDA_ROLE.name
policy_arn = aws_iam_policy.YOUR_POLICY.arn
}
resource "aws_lambda_function" "YOUR_LAMBDA" {
....
role = aws_iam_role.YOUR_LAMBDA_ROLE.arn
....
}
I experienced a similar issue when trying to add an SQS trigger to my Lambda function.
An error occurred when creating the trigger: The provided execution role does not have permissions to call ReceiveMessage on SQS
The way I solved it was to simply add permissions to call ReceiveMessage on SQS in the execution role of the Lambda function.
To do this simply:
Go to IAM in the AWS Console
Click on roles
Select your Lambda function execution role or create one if you don't already have
Add the AWS managed LambdaSQSQueueExecutionRole policy to the role. The policy contains all the necessary permissions to call the necessary actions on SQS from Lambda. The ARN of the policy is arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole.
Save the role, and the try again to add the trigger. This time it will work fone.
On AWS we've implemented functionality that AWS lambda pushes message to AWS queue;
However during this implementation I had to manuall grant permissions to AWS lambda to add message to particular queue. And this apporach with manual clicks not so good for prod deployment.
Any suggestions how to automate process of adding permissions between AWS services (mainly lambda and SQS) and cretate "good" deployment package for prod env ?
Each Lambda function has an attached role, which you can specify permissions for in the IAM dashboard. If you give the Lambda functions' role the permission to push to an SQS queue, you're good to go. For example, attach this JSON as a custom role (see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html):
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:444455556666:queue1"
}
}
You can use asterisks to give permission to multiple queues, like:
"Resource": "arn:aws:sqs:us-east-1:444455556666:production-*"
To give sendMessage permission to all queues that start with production-.