I am new with the aws api and system in general and im currently working with three parts of aws;
Connect
Lambda
Lex
I am trying to get connect to call a lambda function with a simple parameter, but i am getting this error in cloudwatch;
cloudwatch
I tried a google search but it seems that everyone thinks it is IAM related, even though i have a role with the right permissions;
lambda role
and detailed;
enter image description here
it looks like the trigger is already there
Does anyone know why i can't get to invoke my lambda function? Permissions should be fine, i think...
Thank you
You need to configure a "Trigger Policy" which allows AWS Connect to invoke your AWS Lambda.
You can configure it through the AWS CLI:
aws lambda add-permission --function-name function:my-lambda-function --statement-id 1 \
--principal connect.amazonaws.com --action lambda:InvokeFunction --source-account 123456789012 \
--source-arn arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-06a0be38cccf \
This command uses the following input:
The name of the Lambda function (for example, my-lambda-function)
The ARN of a Amazon Connect instance (for example,
arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-example) - To find the ARN for your instance, open the Amazon Connect console,
and then choose the Instance Alias to open the Overview page.
The AWS account ID for the Lambda function (for example, 123456789012)
For more details please check the Documentation: Using AWS Lambda Functions with Amazon Connect
Related
I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.
I am trying to follow this otherwise excellent post to deploy a Java-based AWS lambda app. I'm scripting it out as instructed in that post. I receive the following error when calling aws apigateway put-integration:
An error occurred (BadRequestException) when calling the
PutIntegration operation: Lambda function ARN must be in same account
I'm trying to script the creation of an API gateway to a lambda function. Here's the full deploy.sh script. I have on my local machine the requisite AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_ACCOUNT_ID environment variables.
I don't know enough to understand what that error is telling me. AFAIK, the access secret and id and account ID are all from the same IAM user.
My AWS CLI Script
aws apigateway put-integration --region ap-south-1 --rest-api-id xxttj6inea --resource-id bgncc0 --http-method GET --type AWS --integration-http-method POST --uri arn:aws:apigateway:ap-south-1:lambda:path/2019-09-20/functions/arn:arn:aws:lambda:ap-south-1:***********:function:Hello/invocations
Thank you very much in advance for any ideas/help.
This error can happen because of two reasons:
Your AWS CLI settings are incorrect. I'll implore you to check the AWS CLI configuration file, and run test API calls for the same to verify if everything is set up appropriately.
Your Lambda function belongs in one account, and your REST API in API GW belongs in another account.
I have a Lambda .jar that I build from a Jenkins box in an AWS account ("Account_Bld"). Once built, I copy the .jar over to an S3 bucket in a different AWS account ("Account_Dst"), and I attempt to update the Lambda in Account_Dst based on the newly copied .jar in S3.
I'm using this command as part of my deploy script, which is a slight modification of another version that works when everything is located in the same account:
aws lambda update-function-code --function-name arn:aws:lambda:us-east-1:{Account_Dst_Id}:function:{lambda_function_name} --zip-file fileb://{jar_file_relative_path} --region us-east-1
Not surprisingly, I get this error:
An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation: User: arn:aws:sts::{Account_Bld_Id}:assumed-role/{jenkins_ec2_role}/{jenkins_ec2_instance_id} is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-east-1:{Account_Dst_Id}:function:{lambda_function_name}
I have given jenkins_ec2_role rights to update the Lambda in the other account, but it makes sense that I would need to reciprocate those rights somewhere in Account_Dst -- assuming there is a simple solution to this problem.
Now, possible resolutions. I could assume a role in Account_Dst that has the correct rights and update the Lambda, but that's more setup hassle than it is worth to me right now. I've seen some Google suggestions that I could use CodePipeline, but obviously I'm using Jenkins, so that doesn't seem like a good solution, either.
So, the question is, is there an easy solution here that I am missing?
This is now possible. A Lambda resource based policy can be configured to allow a principal from another account to perform actions e.g. lambda:UpdateFunctionCode or lambda:Invoke.
In case of UpdateFunctionCode, the documentation states:
FunctionName
The name of the Lambda function.
Name formats
Function name – my-function.
Function ARN – arn:aws:lambda:us-west-2:123456789012:function:my-function.
Partial ARN – 123456789012:function:my-function.
...
Source: https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionCode.html
The Lambda Function permission in account 222222222222 must be configured to allow the principal from account 111111111111 to update the function code:
aws lambda add-permission --function-name my-function --statement-id xaccount --action lambda:UpdateFunctionCode --principal 111111111111 --output out.txt
Source:
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke
Then the function code in account 222222222222 can be updated from account 111111111111:
aws lambda update-function-code --function-name arn:aws:lambda:us-west-2:222222222222:function:my-function --zip-file fileb://soure.zip
Granting permissions in Account_Bld to access Account_Dst is not sufficient to gain access to another account. This is good, because you wouldn't want people granting themselves access to other people's accounts.
The destination account needs to accept the incoming request. The method varies by service. For example, Amazon S3 can create a Bucket Policy to permit access from other accounts, as can Amazon SQS.
However, there is no such concept in Lambda to configure incoming requests from other accounts. There is simply nowhere that can be configured to allow update-function-code from another account.
Therefore, you will need to do as you suggested:
Create an IAM User or IAM Role in Account_Dst
Use the credentials from the Account_Dst IAM User (simplest) or use the existing Account_Bld credentials to assume the Role in Account_Dst (a few more lines of code)
Call update-function-code using those credentials
I have a rule in IoT Core that sends messages to a IoT Analytics channel and that data is then passed to a Analytics pipeline, in the pipeline however, I want to make use of a pipeline activity to transform the message, specifically the :
Transform message with Lambda function activity.
My Lambda function returns a value that it retrieves from DynamoDB, I have tested the Lambda in AWS Lambda and it executes and works as it should, however, once I click update preview that should now show me the transformed message I get the following error:
We could not run the pipeline activity. ERROR : Unable to execute Lambda function due to insufficient permissions; dropping the messages, number of messages dropped : 1, functionArn : arn:aws:lambda:eu-west-1:x:function:y
The IAM role associated with the Lambda y function has the following permissions:
AmazonDynamoDBFullAccess
AWSIoTAnalyticsFullAccess
AWSIoTFullAccess
Is there a policy perhaps that I do not have in my IAM role for the Lambda that is preventing it from doing what I need it to?
Seems like you did't provide permission to your lambda function,make sure you have granted IoT Analytics permission to invoke your Lambda function
Example AWS CLI command:
1)
aws lambda add-permission --function-name filter_to_cloudwatch --statement-id filter_to_cloudwatch_perms --principal iotanalytics.amazonaws.com --action lambda:InvokeFunction
2)
aws lambda add-permission --function-name LambdaForWeatherCorp --region us-east-1 --principal iot.amazonaws.com --source-arn arn:aws:iot:us-east-1:123456789012:rule/WeatherCorpRule --source-account 123456789012 --statement-id "unique_id" --action "lambda:InvokeFunction"
I have two versions of an AWS Lambda function. I wanted to attach it to two stages of API Gateway, dev and prod.
I created two aliases, dev and prod, for the two versions of the Lambda function. I created a stage variable called fname and provided the values dev and prod against them in the appropriate stages.
Against the Lambda function to be called in the Resources section, I provided the function name as stageTester:${stageVariables.fname} where stageTester is the name of my function.
It prompted me to attach permissions using AWS CLI. I ran the following command:
aws lambda add-permission --function-name arn:aws:lambda:ap-south-1:xxxxxxx:function:stageTester:dev --source-arn 'arn:aws:execute-api:ap-south-1:zzzzzz:aaaaaa/*/GET/stageTester' --principal apigateway.amazonaws.com --statement-id cxbxcx9bx5-68df-4x9d-96xd-9exb497xa934 --action lambda:InvokeFunction --profile lambdaUser --region ap-south-1
...and a similar one for prod. I expected that this would attach the permissions appropriately.
I completed the deployment and tried to invoke the API. However, I encountered Internal Server Error every time. In the Lambda function screen, against the trigger, I see the following error
The API with ID aaaaaa does not include a resource with path /stageTester
having an integration
arn:aws:lambda:ap-south-1:xxxxxxx:function:stageTester:dev on the GET
method
Can someone help me with this issue?