I would like to send SNS notifications to a Lambda function from one account to another exposing the lambda through and API gateway. But I'm having an Issue. I first tried with the API Gateway in the same account of the SNS topic and everything worked like a charm but when i try with a topic from other account all I got is a Bad Request Error. Do I need to configure any permission?
You need to enable permissions for the TOPIC in another account.
You can find an example in the AWS documentation, section
Allowing Any AWS Resource to Publish to a Topic
Related
Trying to turn a containerized Cube.js deployment into a serverless one. I’m getting Continue wait on every API call, and I notice the cubejsProcess lambda is never invoked. I checked SNS reachability by (successfully) publishing a message to it using the AWS SDK in the cubejs lambda. The cubejsProcess does get invoked with this inserted message. What might be preventing cubejs from publishing messages to SNS?
This is similar to this question, however, connectivity to SNS has been verified in this case.
I'd check IAM permissions to see if the cubejs Lambda's role. Does the role allow making requests to SNS?
Another thing that could be causing the issue is if the cubejs Lambda is in a VPC with no Internet access; calling any AWS API endpoint would fail since they all require an Internet connection.
I have been trying to create a email form for my website using AWS Lambda, Amazon API Gateway and SES.
I followed the instructions provided in the blog by AWS. The instructions for adding destinations and creating a link between the mailFwd and the destinations are not provided by the article.
Also, there is a part of the article which mentions adding a code snippet under the policy so that SES can access the lambda function. I can't find where the policy section is.
The application flow looks like this:
JavaScript / HTML -> API Gateway -> AWS Lambda Function mailfwd -> SES
This means, your frontend sends an HTTP request to the API Gateway which forwards an HTTP event to your Lambda function and your Lambda function processes the mail data from the HTTP event and forwards it to SES.
To avoid any confusion: SES is neither calling nor accessing your Lambda function, it's only the other way around. In order to allow the Lambda function to call SES and send a mail, you have to copy the IAM policy from the blog post (the policy about ses:SendMail) to the policy of your Lambda function's IAM role. (I admit that the blog post's wording is a bit confusing here).
Besides that, you don't need to create any links between the services. You only need to tell API Gateway which Lambda function to call if an HTTP request comes in. In this case you choose the mailfwd function as mentioned in the article:
Select your newly-created resource and choose “create method.” Choose a POST. Here, you will choose our AWS Lambda Function. To do this, select “mailfwd” from the drop down.
I've created SNS topic
I've created API Gateway endpoint that invokes Lambda function
I've created topic HTTPS subscription that points to API Gateway endpoint
Problem: everything works fine when AUTH=none, but when i enabled AUTH=AWS_IAM, neither subscription nor messages are delivered to my lambda. They also wont show up in Lambda OR Gateway cloudwatch logs as it's usually the case with authentication errors.
Questions:
What's the identity delivered by HTTPS endpoint to AWS_IAM so it doesn't allows it ( my first thought was to relay SNS posters token but it doesn't seem be the case )
I couldn't find any way to associate HTTPS endpoint with any identity, is there a way?
There are lots of information about delivering SNS to SQS or Gateway to SNS, but couldn't find any information about achieving what i try to do.
Is there any method to debug AWS_IAM authentication problems? Documentation i've seen advices to "check priviliges" which is something i've been doing for many hours but i have no more ideas.
I'd be glad to hear any ideas from you, thanks.
As you may have seen in the docs, SNS can only do Basic/Digest Auth http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.html
There is a section in the docs about verifying the validity of the message but that is code you'd have to write yourself or lift from one of the SNS SDKs on the backend. There really isn't any way to get SNS to sign the request with AWS SigV4, unfortunately.
Why don't you let the Lambda function subscribe directly to the SNS topic (without going through API Gateway)?
That should be straightforward: https://docs.aws.amazon.com/sns/latest/dg/sns-lambda.html
Here is the complete link which will help you in solving your authentication problem. https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/
If it's an "Check privileges" issue, then your IAM user doesn't have any sufficient access to the resources to make any changes.
I have an AWS account that use multiple devs and teams [dev/qa/mobile].
I would like to be notified when any change takes place in my AWS account.
For example a dev launches a new instance , or a new open port is added in a security group etc and he forgets to announce it to me or the rest of the team.
I want to be fully informed for these changes in order to apply specific architecture and/or security and people tend to mess with them.
Is there any dashboard or service inside AWS that I can customise it?
Someone suggested that I should take a look in CloudTrail.
Has anyone done something like this?
The easiest way to go is to use cloudtrail with cloudwatch logs. In AWS FAQ:
Q:What are the benefits of CloudTrail integration with CloudWatch Logs?
This integration enables you to receive SNS notifications of API activity captured by CloudTrail. For example, you can create CloudWatch alarms to monitor API calls that create, modify and delete Security Groups and Network ACL’s. For examples, go to the examples section of the user guide.
Based on SNS, you can then send email through SES
I think the easier way is to use Amazon Cloudtrail service.
Cloudtrail logs any API call which is made on your AWS account. Every operation done on AWS is and API call (including instances operations as you have requested)
Here you can find more information about it
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-cloudtrail-to-send-notifications.html
I hope this helps somehow.
You can find logs of your AWS account in S3,
Find below path in S3:
s3://security-logging/AWS_/AWSLogs/AWS Account no./CloudTrail/your region/year
You can also integrate CloudTrail with SQS to send notifications.
Playing around with AWS in Golang.
At the moment I use the AWS SDK front-end with Facebook as a Credentials Provider to create Identities in AWS Cognito. This works great.
I use SNS to send Push Notifications to iOS and Android, this also works great.
But I read that SNS only allows 3000 topics per User. If I understand how Cognito and SNS work (and with what I see in logs/dashboard) All Topics are created by the Role that the Cognito Identities assume. So they are all created by the same "User". So I will hit 3000 very quickly with the service in mind.
Ideally I would send AWS Credentials to my Golang back-end and there I would create Topics per Identity and confirm subscriptions.
Is it possible to create Topics per Cognito Identity, make the individual Identities the Owner of the Topic?
If so, is this a specific API call?
Or is this something that has to be set with a specific Role?
AWS doesn't typically limit things by "user" like that. The 3,000 SNS topics limit is per AWS account. This is a soft limit. You can fill out a request to have the limit raised.
Also, I'm not sure 3,000 is the default limit anymore. I can't seem to find that in any of the official documentation at this time. This is the only thing I can find, which lists a limit of 100,000 SNS topics: http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_sns