I am crating a Cognito user pool using GO SDK, I am using the API CreateUserPoolInput.
I have a post confirmation trigger, for this lambda function.
So when the user confirmation happens, this lambda function is expected to trigger.
But I am getting an error - Access denied.
When I login to AWS console and re-configure this lambda function for this trigger, it works.
Reference -
https://forums.aws.amazon.com/thread.jspa?messageID=748566
I want to provide the invoke permission using the AWS APIs.
Is there any API or code example, which I can refer to provide the required access?
I am not familiar with GO, but from an AWS API perspective, what happens when you use the AWS console to add a trigger to a lambda function, you effectively add permission for another service to invoke your function. The AWS graphical console calls the underlying API under the scene to make it easy to use.
If you are creating or configuring a Lambda function using the AWS CLI or an SDK, you need to make an explicit call to the add-permission API.
Here is the doc for the AWS CLI. It is a nice way to practice and discover before to start to write your code : https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html
Here is the doc for the Go SDK equivalent : https://docs.aws.amazon.com/sdk-for-go/api/service/lambda/#Lambda.AddPermission
And here are two examples in bash shell (one to authorize API Gateway and one to authorize Amazon S3 to trigger a function, but I am sure you can adapt this easily to your use case)
aws lambda add-permission \
--region $REGION \
--function-name $FUNCTION_NAME \
--statement-id 1 \
--principal apigateway.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:execute-api:$REGION:$ACCOUNT_ID:* >/dev/null
#
# Add permission to authorize S3 bucket to invoke Lambda
#
AWS_ACCOUNT_ID=$(echo $ROLE_EXEC_ARN | sed 's/^arn:aws:iam::\(.*\):.*$/\1/')
aws lambda add-permission --function-name $FUNCTIONNAME --region $REGION --profile $PROFILE --statement-id Id-x --action "lambda:InvokeFunction" --principal s3.amazonaws.com --source-arn arn:aws:s3:::$BUCKETNAME --source-account $AWS_ACCOUNT_ID
I was able to solve this issue using the AddPermission API call.
Here is the code snippet.
actionString := "lambda:InvokeFunction"
principalString := "cognito-idp.amazonaws.com"
sourceArn := userPoolArn
statementIdString := "cognitoaddpermission"
addPermissionInput := &lambda.AddPermissionInput{
Action: aws.String(actionString),
FunctionName: aws.String(lambdaFunctionName),
Principal: aws.String(principalString),
SourceArn: aws.String(sourceArn),
StatementId: aws.String(statementIdString),
}
resultAddPermission, errAddPermission := lambdaSessionClient.AddPermission(addPermissionInput)
Related
I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.
I am trying to understand why I cannot call my lambda from AWS Workmail. I obviously have not setup the correct permissions. I am struggling to understand where I am falling short.
One or more inputs was invalid: Cannot call lambda arn:aws:lambda:us-east-1:006640600424:function:toi-ordering-script due to permission denied. Check that WorkMail is authorized to call your function and that the function exists. Read more.
I think you haven't given permissions to Workmail to invoke your function, or they are given incorrectly.
You can add such permissions using AWS CLI's add-permission. For example:
aws lambda add-permission \
--function-name toi-ordering-script \
--action lambda:InvokeFunction \
--statement-id workmail \
--principal workmail.us-east-1.amazonaws.com
You may need to modify it to your specific settings.
I'm trying to use CLI, and Ansible to deploy a CloudFront instance with attached Lambda / Lambda#Edge functions. But I'm running into the following error:
Lambda#Edge cannot enable replication for the specified Lambda function. Update the IAM policy to add permission: lambda:EnableReplication* for resource: arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1 and try again.
The documentation does say that I need lambda:EnableReplication*, but when I try to add the permissions to the lambda function via this command:
aws lambda add-permission --function-name FUNCITONNAME:1 --action "lambda:EnableReplication*" --statement-id something --principal "*" --output text
I get the following error:
An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'lambda:EnableReplication*' at 'action' failed to satisfy constraint: Member must satisfy regular expression pattern: (lambda:[*]|lambda:[a-zA-Z]+|[*])
How am I suppose to add these permissions do that this can be successful, what am I doing wrong here?
Hi I ran into the same issue, and took me sometime to figured out. I started trying as you did with aws lambda add-permission (role based policy). But the permissions you need to add like lambda:Enablereplication* should not be added to resource base policy but should be added to excecution role (if you're running from a lambda like my case) or to user if you're using CLI (like I think is your case)
Hope this help! :)
The error that comes back from AWS is not quite correct. Here is a working example.
aws lambda add-permission \
--function-name "name-of-your-function" \
--action "lambda:EnableReplication" \
--statement-id "lambda_enable_replication" \
--principal "*" \
--output text
You can also accomplish this with CloudFormation.
EdgeAuthEnableReplicationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:EnableReplication"
FunctionName: !Ref FunctionResource
Principal: "*"
The error message is incorrect. As per the documentation, you need to add the lambda:EnableReplication* permission to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME
rather than to:
arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1
Notice that the replication permission should go on the function itself rather than on a particular version of the function.
I have a rule in IoT Core that sends messages to a IoT Analytics channel and that data is then passed to a Analytics pipeline, in the pipeline however, I want to make use of a pipeline activity to transform the message, specifically the :
Transform message with Lambda function activity.
My Lambda function returns a value that it retrieves from DynamoDB, I have tested the Lambda in AWS Lambda and it executes and works as it should, however, once I click update preview that should now show me the transformed message I get the following error:
We could not run the pipeline activity. ERROR : Unable to execute Lambda function due to insufficient permissions; dropping the messages, number of messages dropped : 1, functionArn : arn:aws:lambda:eu-west-1:x:function:y
The IAM role associated with the Lambda y function has the following permissions:
AmazonDynamoDBFullAccess
AWSIoTAnalyticsFullAccess
AWSIoTFullAccess
Is there a policy perhaps that I do not have in my IAM role for the Lambda that is preventing it from doing what I need it to?
Seems like you did't provide permission to your lambda function,make sure you have granted IoT Analytics permission to invoke your Lambda function
Example AWS CLI command:
1)
aws lambda add-permission --function-name filter_to_cloudwatch --statement-id filter_to_cloudwatch_perms --principal iotanalytics.amazonaws.com --action lambda:InvokeFunction
2)
aws lambda add-permission --function-name LambdaForWeatherCorp --region us-east-1 --principal iot.amazonaws.com --source-arn arn:aws:iot:us-east-1:123456789012:rule/WeatherCorpRule --source-account 123456789012 --statement-id "unique_id" --action "lambda:InvokeFunction"
I'm preparing a new AWS API Gateway under few environments - production, staging, testing, development.
Let's say I have two lambda functions connected to the GET /first and GET /second. Those resources are pointing to the lambda first:${stageVariables.Qualifier} (this variable has proper environment value depending on stage).
Now I have to add permissions for API Gateway to invoke both functions. AWS says:
You defined your Lambda function as a stage variable. Please ensure that you have the appropriate Function Policy on all functions you will use. You can do this by running the below AWS CLI command for each function, replacing the stage variable in the function-name parameter with the necessary function name.
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:first:${stageVariables.Qualifier}
--source-arn arn:aws:execute-api:region:00000:xxxx/*/GET/first
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction
So it's clear - I have to invoke this above command 8 times for each configuration:
first:development
first:testing
....
second:production
Is it possible somehow to add a general permission to allow invocation of any function in any qualifier with any path?
I'm aiming something like that (but it doesn't work):
aws lambda add-permission
--function-name arn:aws:lambda:region:000...:function:*:*
--source-arn arn:aws:execute-api:region:00000:xxxx/*/*/*
--principal apigateway.amazonaws.com
--statement-id 0000-000-0-...
--action lambda:InvokeFunction