I created simple Lambda function for processing Amazon SES incoming email.
Function works, testing it with SES data works from Lambda editing panel.
When trying to create SES email receiving rule always getting identical errors:
Invalid Lambda function:
arn:aws:lambda:region:userid:function:functionname
(Request ID: requestid)
Tried to add roles for this lambda via command line:
aws lambda add-permission
--function-name arn:aws:lambda:region:userid:function:functionname
--statement-id=GiveSESPermissionToInvokeFunction
--principal=ses.amazonaws.com
--action=lambda:InvokeFunction
--source-account=userid
--region "region"
role is added successfully, but it's not helping.
The Lambda function needs to be in the same AWS region as you are configuring the SES rule in.
Related
I'm trying to figure out if there is a way to send an SES email from a Linux EC2 instance through AWS CLI. I looked at some examples saying that it's better to use SMTP, saying SES would work but no details behind, or some saying it's not possible.
I have tried this:
aws ses send-raw-email --from-arn arn:aws:ec2:<REGION>:<ACCOUNT_ID>:instance/<instance-id> --destinations <list>
but I didn't get anything.
As per the help page of send-raw-email aws ses send-raw-email help, parameter --from-arn is the resource name of the verified identity you configure in SES.
This parameter is used only for sending authorization. It is the ARN of the identity that is associated with the sending authorization
policy that permits you to specify a particular "From" address in
the header of the raw email.
More importantly it is not the ARN of the EC2 instance from which you are invoking the CLI.
Consider the examples below:
Without parameter --from-arn, instead using --source
% aws ses send-raw-email --source saini001#gmail.com --destinations saini001#gmail.com --raw-message file://email.json --cli-binary-format raw-in-base64-out
{
"MessageId": "0100017fc8dc8fbd-34f5bf83-ac26-4bd5-aa69-7358d96d925a-000000"
}
Using --from-arn
% aws ses send-raw-email --from-arn arn:aws:ses:us-region-x:xxxxx:identity/saini001#gmail.com --destinations saini001#gmail.com --raw-message file://email.json --cli-binary-format raw-in-base64-out
{
"MessageId": "0100017fc8df4fd7-3c21d871-3883-4d4c-8c82-17cbfd479e5f-000000"
}
In both cases, SES sent email to the specified destination.
I am trying to send messages to my AWS Lambda Function from AWS Pinpoint through custom channel as described here
My problem is about granting permission to AWS Pinpoint to invoke my lambda function. The AWS CLI command provided in the documentation for granting permission is not working. When I execute the aws lambda add-permission command from AWS CLI like described in the documentation, I got the following error:
"no matches found: arn:aws:mobiletargeting:us-east-1:<account-id>:apps/*"
The result doesn't change if I change the ARN to any of the below:
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/*
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/campaigns/*
arn:aws:mobiletargeting:us-east-1:<account-id>:/apps/<pinpoint-app-id>/*
arn:aws:mobiletargeting:us-east-1:<account-id>:/apps/<pinpoint-app-id>/campaigns/*
I tried the same with AWS Cloudformation instead of AWS CLI, I succeeded to grant permission to AWS Pinpoint to invoke my lambda function. At least the Resource Based Policy appeared in the "Permissions" tab of my AWS Lambda Function Console. The source ARN like condition is
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/*
But, when I try to create a campaign under the same pinpoint application (i.e., project) I got the following error message:
"Amazon Pinpoint couldn’t invoke the Lambda function that you specified for custom delivery. Verify that a function policy is assigned to the function and that Amazon Pinpoint is authorized to invoke the function."
I tried different SourceArn like condition including the followings, but the result is the same:
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/*
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/campaigns/*
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/*
arn:aws:mobiletargeting:us-east-1:<account-id>:*
arn:aws:mobiletargeting:us-east-1:<account-id>:/apps/*
Couldn't figure out what the problem is. Any idea about what I am missing will be greatly appreciated.
Thanks in advance!
Interesting but the same aws lambda add-permission command that returned no matches found: arn:aws:mobiletargeting:us-east-1:<account-id>:apps/* is working after sudo su.
This is probably too late, but for anyone that has a similar problem and don't want to go through the whole cloudformation template at least for now.
I had the same issue with
"no matches found: arn:aws:mobiletargeting:us-east-1::apps/*".
It was due to my terminal behaving weirdly with '*', so adding single quotes around the arn worked, like:
arn:aws:mobiletargeting:us-east-1:<account-id>:apps/<pinpoint-app-id>/*
I am working with a serverless project and I have only the access to aws cli, so I want to get the trigger information of a function such as event and since I am using a sns topic to trigger the function, I want to get the topic infomation and arn, I tried diffrent options, such as,
list-event-source-mapping - which returns a empty array
get-function: which doesn't hold that value
Do I have means to get the trigger information of a function with aws cli?
In this case, I believe the only way to get that information would be from the get-policy API call as that will contain the resource based policy(AKA trigger) which allows the other service to invoke the Lambda.
The get-event-source-mappings API returns the stream based event sources in the region such as:
Kinesis
Dynamo
SQS
So for example, if I have a lambda function which is configured to be invoked from SNS then the policy returned would be similar to:
aws lambda get-policy --function-name arn:aws:lambda:us-east-1:111122223333:function:YOUR_LAMBDA_NAME_HERE --query Policy --output text | jq '.Statement[0].Condition.ArnLike["AWS:SourceArn"]'
OUTPUT:
"arn:aws:sns:REGION:111122223333:TOPIC_NAME"
Though that assumes that the policy in the Lambda function only has that one statement but if you know the specific statement id then you should be able to select it in jq using a filter
I am new with the aws api and system in general and im currently working with three parts of aws;
Connect
Lambda
Lex
I am trying to get connect to call a lambda function with a simple parameter, but i am getting this error in cloudwatch;
cloudwatch
I tried a google search but it seems that everyone thinks it is IAM related, even though i have a role with the right permissions;
lambda role
and detailed;
enter image description here
it looks like the trigger is already there
Does anyone know why i can't get to invoke my lambda function? Permissions should be fine, i think...
Thank you
You need to configure a "Trigger Policy" which allows AWS Connect to invoke your AWS Lambda.
You can configure it through the AWS CLI:
aws lambda add-permission --function-name function:my-lambda-function --statement-id 1 \
--principal connect.amazonaws.com --action lambda:InvokeFunction --source-account 123456789012 \
--source-arn arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-06a0be38cccf \
This command uses the following input:
The name of the Lambda function (for example, my-lambda-function)
The ARN of a Amazon Connect instance (for example,
arn:aws:connect:us-east-1:123456789012:instance/def1a4fc-ac9d-11e6-b582-example) - To find the ARN for your instance, open the Amazon Connect console,
and then choose the Instance Alias to open the Overview page.
The AWS account ID for the Lambda function (for example, 123456789012)
For more details please check the Documentation: Using AWS Lambda Functions with Amazon Connect
We are trying to add permission to an SNS topic in account 'A'. A lambda function in account 'B' will invoke this. To do this, we used the CLI as below:
aws sns add-permission --topic-arn arn:aws:sns:us-east-1:<account_A>:djif-prod-policy-engine-config-sns --label lambda-<account_B>-us-east-2 --aws-account-id <account_B> --action-name Publish --region us-east-1
This returns the following error:
An error occurred (InvalidParameter) when calling the AddPermission operation: Invalid parameter: Policy contains too many statements!
Can someone help us figure out a way to resolve this. We created a lambda function in a different account (account C) and this command worked fine with no errors.
We figured this out. Whenever we run aws sns add-permission it updates the SNS topic policy. We had a bug in our code that called this multiple times for the same account (we are trying to invoke this SNS topic from multiple accounts). The AWS limit on the number of policies is 100 and when we hit this limit, we get the error.