I'm trying to use CLI, and Ansible to deploy a CloudFront instance with attached Lambda / Lambda#Edge functions. But I'm running into the following error:
Lambda#Edge cannot enable replication for the specified Lambda function. Update the IAM policy to add permission: lambda:EnableReplication* for resource: arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1 and try again.
The documentation does say that I need lambda:EnableReplication*, but when I try to add the permissions to the lambda function via this command:
aws lambda add-permission --function-name FUNCITONNAME:1 --action "lambda:EnableReplication*" --statement-id something --principal "*" --output text
I get the following error:
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'lambda:EnableReplication*' at 'action' failed to satisfy constraint: Member must satisfy regular expression pattern: (lambda:[*]|lambda:[a-zA-Z]+|[*])
How am I suppose to add these permissions do that this can be successful, what am I doing wrong here?
Hi I ran into the same issue, and took me sometime to figured out. I started trying as you did with aws lambda add-permission (role based policy). But the permissions you need to add like lambda:Enablereplication* should not be added to resource base policy but should be added to excecution role (if you're running from a lambda like my case) or to user if you're using CLI (like I think is your case)
Hope this help! :)
The error that comes back from AWS is not quite correct. Here is a working example.
aws lambda add-permission \
--function-name "name-of-your-function" \
--action "lambda:EnableReplication" \
--statement-id "lambda_enable_replication" \
--principal "*" \
--output text
You can also accomplish this with CloudFormation.
EdgeAuthEnableReplicationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:EnableReplication"
FunctionName: !Ref FunctionResource
Principal: "*"
The error message is incorrect. As per the documentation, you need to add the lambda:EnableReplication* permission to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME
rather than to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1
Notice that the replication permission should go on the function itself rather than on a particular version of the function.
Related
I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.
I have setup a lambda function to be triggered by many cloudwatch log groups. In order to do that, I added the invoke function permission on log group aws lambda add-permission and add subscription as lambda as destination aws logs put-subscription-filter. There are hundreds of log groups I need to stream to one lambda which makes the lambda trigger policy very big.
There two commands in this flow aws lambda add-permission and aws logs put-subscription-filter. I need to run these two commands per each log group. I added 46 cloudwath log groups as trigger for the lambda but when adding the 47th I got an error.
The error I got was this command:
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com \
--source-arn $logArn
An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20623) is bigger than the limit (20480).
arn:aws:logs:ap-southeast-2:***
Is there a way to get around of that?
Is this a right way to stream hundreds of log groups to one lambda?
I have tried to use wildcard in the command but got a validation error.
aws lambda add-permission --function-name $AGGREGATOR_NAME --statement-id $ID --action lambda:InvokeFunction --principal logs.ap-southeast-2.amazonaws.com --source-arn "arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*"
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'arn:aws:logs:*:*:log-group:/aws/lambda/hello*:*' at 'sourceArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1})?:(\d{12})?:(.*)
A way to get around of this is to utilize wildcard in --source-arn. By doing this, you don't need one lambda resource-based policy for each CloudWatch log group. Of course, the simplest way is to allow all log groups to execute lambda:InvokeFunction. In this case, you just need
aws lambda add-permission --function-name $AGGREGATOR_NAME \
--statement-id add-permission-$lambdaName --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com
Notice that the --source-arn is removed.
I am trying to understand why I cannot call my lambda from AWS Workmail. I obviously have not setup the correct permissions. I am struggling to understand where I am falling short.
One or more inputs was invalid: Cannot call lambda arn:aws:lambda:us-east-1:006640600424:function:toi-ordering-script due to permission denied. Check that WorkMail is authorized to call your function and that the function exists. Read more.
I think you haven't given permissions to Workmail to invoke your function, or they are given incorrectly.
You can add such permissions using AWS CLI's add-permission. For example:
aws lambda add-permission \
--function-name toi-ordering-script \
--action lambda:InvokeFunction \
--statement-id workmail \
--principal workmail.us-east-1.amazonaws.com
You may need to modify it to your specific settings.
I am crating a Cognito user pool using GO SDK, I am using the API CreateUserPoolInput.
I have a post confirmation trigger, for this lambda function.
So when the user confirmation happens, this lambda function is expected to trigger.
But I am getting an error - Access denied.
When I login to AWS console and re-configure this lambda function for this trigger, it works.
Reference -
https://forums.aws.amazon.com/thread.jspa?messageID=748566
I want to provide the invoke permission using the AWS APIs.
Is there any API or code example, which I can refer to provide the required access?
I am not familiar with GO, but from an AWS API perspective, what happens when you use the AWS console to add a trigger to a lambda function, you effectively add permission for another service to invoke your function. The AWS graphical console calls the underlying API under the scene to make it easy to use.
If you are creating or configuring a Lambda function using the AWS CLI or an SDK, you need to make an explicit call to the add-permission API.
Here is the doc for the AWS CLI. It is a nice way to practice and discover before to start to write your code : https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html
Here is the doc for the Go SDK equivalent : https://docs.aws.amazon.com/sdk-for-go/api/service/lambda/#Lambda.AddPermission
And here are two examples in bash shell (one to authorize API Gateway and one to authorize Amazon S3 to trigger a function, but I am sure you can adapt this easily to your use case)
aws lambda add-permission \
--region $REGION \
--function-name $FUNCTION_NAME \
--statement-id 1 \
--principal apigateway.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:execute-api:$REGION:$ACCOUNT_ID:* >/dev/null
#
# Add permission to authorize S3 bucket to invoke Lambda
#
AWS_ACCOUNT_ID=$(echo $ROLE_EXEC_ARN | sed 's/^arn:aws:iam::\(.*\):.*$/\1/')
aws lambda add-permission --function-name $FUNCTIONNAME --region $REGION --profile $PROFILE --statement-id Id-x --action "lambda:InvokeFunction" --principal s3.amazonaws.com --source-arn arn:aws:s3:::$BUCKETNAME --source-account $AWS_ACCOUNT_ID
I was able to solve this issue using the AddPermission API call.
Here is the code snippet.
actionString := "lambda:InvokeFunction"
principalString := "cognito-idp.amazonaws.com"
sourceArn := userPoolArn
statementIdString := "cognitoaddpermission"
addPermissionInput := &lambda.AddPermissionInput{
Action: aws.String(actionString),
FunctionName: aws.String(lambdaFunctionName),
Principal: aws.String(principalString),
SourceArn: aws.String(sourceArn),
StatementId: aws.String(statementIdString),
}
resultAddPermission, errAddPermission := lambdaSessionClient.AddPermission(addPermissionInput)
I am creating a nodejs application and deploying it as a lambda function on AWS. I am following the link:
http://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example-create-iam-role.html
I am now stuck at step 2.2-2.3. Step 2.2 has the json with the policy that needs to be attached to the role. When I use the below command (step 2.3) to create the lambda function:
ws lambda create-function --region us-east-1 --function-name LambdaFunctionOverHttps --zip-file fileb://LambdaFunctionOverHttps.zip --role execution-role-arn --handler LambdaFunctionOverHttps.handler --runtime nodejs4.3
Then I get the below error:-
An error occurred (ValidationException) when calling the
CreateFunction operation: 1 validation error detected: Value
'execution-role-arn' at 'role' failed to satisfy constraint: Member
must satisfy regular expression pattern:
arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.#-_/]+
I even created the file "execution-role-arn" which had the json from Step 2.2. How can I resolve this error and create the lambda function?
I faced the same error, turns out you have to specify the Role ARN, not the Role name. So instead of --role roleName , put --role arn:aws:iam::1234567891:role/service-role/roleName . You can find you role ARN by clicking on the role name in Roles tab, and then at the top you'll find the role ARN.
AWS really needs to fix their documentation for almost all of their services.
Update: The role needs to be replaced with the actual arn role name for the lambda function instead of a separate file. This can be found on the role you just created in step 2.2. So, the proper way to do this is as follows:
aws lambda create-function
--region us-east-1
--function-name LambdaFunctionOverHttps
--zip-file fileb://LambdaFunctionOverHttps.zip
--role arn:aws:iam::9999999999999:role/lambda-gateway-execution-role
--handler LambdaFunctionOverHttps.handler
--runtime nodejs4.3
This worked out fine and the lambda function got created. Note that I had pointed the default profile to admin with the aws config command.