How to know which s3 bucket trigger which lambda without going to all lambdas?
You can look into these triggers under a bucket events itself. When you open a s3 bucket, navigate to Properties and under that Events. You can however delete or edit the resource triggered from that panel. Hope it helps
This can be a bit difficult since the command line options for Lambda require that you use aws lambda get-policy in order to find out which resources are allowed to perform the lambda:InvokeFunction action on a given function. These permissions aren't shown as part of the lambda configuration for aws lambda get-function-configuration. Use bash and jq to get a list of functions and spit out their allowed invokers. Like this:
aws lambda list-functions | jq '.Functions[].FunctionName' --raw-output | while read f; do
policy=$( aws lambda get-policy --function-name ${f} | jq '.Policy | fromjson | .Statement[] | select(.Effect=="Allow") | select(.Action=="lambda:InvokeFunction") | .Condition.ArnLike[]' --raw-output )
echo "FUNCTION ${f} CAN BE INVOKED FROM:"
echo ${policy}
done
This will list the arn of the resources that are allowed to use the action lambda:InvokeFunction on the all Lambda functions returned from list-functions.
When you set up triggers on your S3 Bucket, you can select which Lambda function is invoked.
Check out this document for more information: https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html.
Here's a more comprehensive document that deep dives on S3 event notifications: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-event-notifications.html
If you select the Lambda Function destination type, do the following:
In Lambda Function, type or choose the name of the Lambda function that you want to receive notifications from Amazon S3.
If you don't have any Lambda functions in the region that contains your bucket, you'll be prompted to enter a Lambda function ARN. In Lambda Function ARN, type the ARN of the Lambda function that you want to receive notifications from Amazon S3.
(Optional) You can also choose Add Lambda function ARN from the menu and type the ARN of the Lambda function in Lambda function ARN.
Related
I'm using the Azure Toolkit for AWS to create my lambda, and then running some powershell scripts to act on it. After creation, I get the function's ARN as an output. I don't see anywhere in the documentation where I can access the function via the ARN, everything takes the function-name as a parameter.
You can use the ARN in the --function-name parameter when executing AWS CLI calls for the AWS lambda API.
Here's an example for the get-function api:
--function-name (string)
The name of the Lambda function, version, or alias.
Name formats
Function name - my-function (name-only), my-function:v1 (with alias).
Function ARN - arn:aws:lambda:us-west-2:123456789012:function:my-function .
Partial ARN - 123456789012:function:my-function
I am working with a serverless project and I have only the access to aws cli, so I want to get the trigger information of a function such as event and since I am using a sns topic to trigger the function, I want to get the topic infomation and arn, I tried diffrent options, such as,
list-event-source-mapping - which returns a empty array
get-function: which doesn't hold that value
Do I have means to get the trigger information of a function with aws cli?
In this case, I believe the only way to get that information would be from the get-policy API call as that will contain the resource based policy(AKA trigger) which allows the other service to invoke the Lambda.
The get-event-source-mappings API returns the stream based event sources in the region such as:
Kinesis
Dynamo
SQS
So for example, if I have a lambda function which is configured to be invoked from SNS then the policy returned would be similar to:
aws lambda get-policy --function-name arn:aws:lambda:us-east-1:111122223333:function:YOUR_LAMBDA_NAME_HERE --query Policy --output text | jq '.Statement[0].Condition.ArnLike["AWS:SourceArn"]'
OUTPUT:
"arn:aws:sns:REGION:111122223333:TOPIC_NAME"
Though that assumes that the policy in the Lambda function only has that one statement but if you know the specific statement id then you should be able to select it in jq using a filter
I am new with the aws api and system in general and im currently working with three parts of aws;
Connect
Lambda
Lex
I am trying to get connect to call a lambda function with a simple parameter, but i am getting this error in cloudwatch;
cloudwatch
I tried a google search but it seems that everyone thinks it is IAM related, even though i have a role with the right permissions;
lambda role
and detailed;
enter image description here
it looks like the trigger is already there
Does anyone know why i can't get to invoke my lambda function? Permissions should be fine, i think...
Thank you
You need to configure a "Trigger Policy" which allows AWS Connect to invoke your AWS Lambda.
You can configure it through the AWS CLI:
aws lambda add-permission --function-name function:my-lambda-function --statement-id 1 \
--principal connect.amazonaws.com --action lambda:InvokeFunction --source-account 123456789012 \
--source-arn arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-06a0be38cccf \
This command uses the following input:
The name of the Lambda function (for example, my-lambda-function)
The ARN of a Amazon Connect instance (for example,
arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-example) - To find the ARN for your instance, open the Amazon Connect console,
and then choose the Instance Alias to open the Overview page.
The AWS account ID for the Lambda function (for example, 123456789012)
For more details please check the Documentation: Using AWS Lambda Functions with Amazon Connect
I want to run a lambda in Account B when any object comes into Account A S3 bucket.
But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:
S3(Account A)--> Lambda(Account B)- not possible
S3(Account A)--> Lambda(Account A)-->Lambda(Account B)- Possible
Can someone help me which option is possible? If so how?
#John's Solution works but there are certain steps I would like to add to his answer.
The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:
The notification destination service region is not valid for the bucket location constraint
Below is the Steps I followed to create the trigger:
Account-A.S3-bucket -> Account-B.Lambda-function
From Terminal, switch to Account-B's AWS profile where the Lambda would reside
Run the below command, change the parameters for your case:
aws lambda add-permission \
--region {Account-B.Lambda region Eg. us-east-1} \
--function-name {Account-B.Lambda name} \
--statement-id 1 \
--principal s3.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::{Account-A.S3 name} \
--source-account {Account-A.account-id} \
--profile {Account-B.profile-name}
You might get statement-id exists error, increment statement-id and re-run command again in this case.
Go to Account-A's S3 bucket and under Properties's tab > under Events
Select Add Notification
Add the following fields:
Name: ObjectCreation
Events: ObjectCreate (All)
Send to: Lambda function
Lambda: Add Lambda function ARN
Lambda function ARN:
your-lambda-arn
Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.
I managed to successfully trigger an AWS Lambda function in Account B from an upload to an Amazon S3 bucket in Account A.
Account-A.S3-bucket -> Account-B.Lambda-function
Here's what I did:
Created the Amazon S3 bucket in Account A
Created the Lambda function in Account B
Added a Resource-Based Policy for AWS Lambda to the Lambda function via the AWS Command-Line Interface (CLI) that allowed the S3 bucket to call lambda:InvokeFunction on the Lambda function
Added a Bucket Policy to the S3 bucket to permit GetObject access from anywhere (this should be locked-down further, but was sufficient for the experiment)
Configured an Event for ObjectCreate (All) on the S3 bucket, referencing the Lambda function via its ARN
Uploaded a file to the Account-A.S3-bucket
The Account-B.Lambda-function was successfully triggered
I then repeated the experiment with the bucket in a different region and it failed, saying:
The notification destination service region is not valid for the bucket location constraint
Here is how you do this in clear steps:
I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.
Create assumed role on Customer Account with full S3 access,
Create trust policy in assumed role pointing at Lambda ARN
Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role
(Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)
Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account.
(Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)
In the new S3 console, go to S3 console and open your bucket. Click on the Properties tab -> Events. You need to give S3 permission to invoke the Lambda function. Refer: configure Amazon s3 bucket to run Lambda function created in another account
Both options should be possible. So you can go with the first option, which is minimalistic.
Use the Cross Account access feature in IAM to grant access to S3(Account A) from Lambda(Account B).
This is achieved by creating a IAM Role in Account B which is granted to acceses to the bucket in Account A and allowed to assume by the Lambda (In Account B).
For further details refer the following documentation from AWS.
Using Resource-Based Policies for AWS Lambda [Example 2: Bucket
Owner Granting Cross-Account Bucket Permissions
I want to run a lambda in Account B when any object comes into Account A S3 bucket.
But I heard that we can access Lambda from the same account S3 only, for cross-account S3 Lambda access I must run Lambda within same account and make another trigger which runs another account Lambda:
S3(Account A)--> Lambda(Account B)- not possible
S3(Account A)--> Lambda(Account A)-->Lambda(Account B)- Possible
Can someone help me which option is possible? If so how?
#John's Solution works but there are certain steps I would like to add to his answer.
The S3 bucket and the Lambda need to be in the same region. For example, both should be created in us-east-1 region. Different regions would throw an error as below:
The notification destination service region is not valid for the bucket location constraint
Below is the Steps I followed to create the trigger:
Account-A.S3-bucket -> Account-B.Lambda-function
From Terminal, switch to Account-B's AWS profile where the Lambda would reside
Run the below command, change the parameters for your case:
aws lambda add-permission \
--region {Account-B.Lambda region Eg. us-east-1} \
--function-name {Account-B.Lambda name} \
--statement-id 1 \
--principal s3.amazonaws.com \
--action lambda:InvokeFunction \
--source-arn arn:aws:s3:::{Account-A.S3 name} \
--source-account {Account-A.account-id} \
--profile {Account-B.profile-name}
You might get statement-id exists error, increment statement-id and re-run command again in this case.
Go to Account-A's S3 bucket and under Properties's tab > under Events
Select Add Notification
Add the following fields:
Name: ObjectCreation
Events: ObjectCreate (All)
Send to: Lambda function
Lambda: Add Lambda function ARN
Lambda function ARN:
your-lambda-arn
Note: The Lambda function might still show an error but new objects added in the S3 bucket trigger the lambda and print(event) logs appear in Cloudwatch logs.
I managed to successfully trigger an AWS Lambda function in Account B from an upload to an Amazon S3 bucket in Account A.
Account-A.S3-bucket -> Account-B.Lambda-function
Here's what I did:
Created the Amazon S3 bucket in Account A
Created the Lambda function in Account B
Added a Resource-Based Policy for AWS Lambda to the Lambda function via the AWS Command-Line Interface (CLI) that allowed the S3 bucket to call lambda:InvokeFunction on the Lambda function
Added a Bucket Policy to the S3 bucket to permit GetObject access from anywhere (this should be locked-down further, but was sufficient for the experiment)
Configured an Event for ObjectCreate (All) on the S3 bucket, referencing the Lambda function via its ARN
Uploaded a file to the Account-A.S3-bucket
The Account-B.Lambda-function was successfully triggered
I then repeated the experiment with the bucket in a different region and it failed, saying:
The notification destination service region is not valid for the bucket location constraint
Here is how you do this in clear steps:
I defined (Customer Account) as the account that contains the S3 resource, "Service Account" as the account that contains the Lambda function, that will access the S3 resource.
Create assumed role on Customer Account with full S3 access,
Create trust policy in assumed role pointing at Lambda ARN
Attach IAM policy to Lambda execution role on Service Account - pointing at Customer account / assumed role
(Reference: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/)
Create object notification event on target S3 bucket on customer account, to notify Lambda ARN on service account.
(Reference: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#putBucketNotificationConfiguration-property)
In the new S3 console, go to S3 console and open your bucket. Click on the Properties tab -> Events. You need to give S3 permission to invoke the Lambda function. Refer: configure Amazon s3 bucket to run Lambda function created in another account
Both options should be possible. So you can go with the first option, which is minimalistic.
Use the Cross Account access feature in IAM to grant access to S3(Account A) from Lambda(Account B).
This is achieved by creating a IAM Role in Account B which is granted to acceses to the bucket in Account A and allowed to assume by the Lambda (In Account B).
For further details refer the following documentation from AWS.
Using Resource-Based Policies for AWS Lambda [Example 2: Bucket
Owner Granting Cross-Account Bucket Permissions