I am making a call to aws cloudWatchEvent putRule & PutTarget api through aws sdk to create a cloudWatch Rule and attach a target to it. My Target is a lambda function, the rule gets created, the target gets attached to the rule but when the rule triggers based on its schedule the target lambda function not trigger. So I looked further and found out that the event source under the lambda function is not added which makes it not trigger. If I create the rule and target through AWS console the event source gets created and everything works but not thorugh API.
You'll need to call the lambda add-permission after adding the target.
That is (via boto3 for me):
create the lambda
create the rule
create the targets
call lambda add-permission with the lambda arn
see boto3 documentation or the cli doc.
It is possible to add event sources via aws sdk. I faced the same issue and please see code below as the solution using java.
AddPermissionRequest addPermissionRequest = new AddPermissionRequest();
addPermissionRequest.setStatementId("12345ff"); //any unique string would go
addPermissionRequest.withSourceArn(ruleArn);
addPermissionRequest.setAction("lambda:InvokeFunction");
addPermissionRequest.setPrincipal("events.amazonaws.com");
addPermissionRequest.setFunctionName("name of your lambda function");
AWSLambdaAsyncClient lambdaClient = new AWSLambdaAsyncClient();
lambdaClient.withRegion(Regions.US_EAST_1); //region of your lambda's location
lambdaClient.addPermission(addPermissionRequest);
I had same issue here, and i solve this by what #Anvita Shukla has sugested.
This worked fine when i do:
create the lambda (this i was created in web page)
And with SDK
create the rule object
create the target object
put request of the rule
put request of the target
get response object of rule request to retrieve the rule ARN
create permission object (has #Anvita Shukla said) and set the rule
ARN
add permission by lambda client object
In the aws lambda page i can see my lambdas with associated triggers events. And in aws cloudwatch events page i can see the created rules.
I wrote this in java lang. If you want i can share the code.
I fixed it. You need to add permission for lambda with SourceArn is cloud watch after putTargets. For example :
var lambdaPermission = {
FunctionName: 'cloudwatch-trigger',
StatementId : timestamp.toString(),
Action: 'lambda:InvokeFunction',
Principal: 'events.amazonaws.com',
SourceArn: 'arn:aws:events:ap-southeast-1:XXXXXX:rule/schedule_auto_1'
};
lambda.addPermission(lambdaPermission, function(err, data) {
if (err) {
console.log("Error", err);
} else {
console.log("Success", data);
console.log("add permisson done");
}
});
As far as I understand this is currently not possible through the SDK, CloudWatch event sources can only be added to lambdas through the console as you said or using the CLI. If I'm wrong I would love to know what is possible, but the documentation here seems to agree.
http://docs.aws.amazon.com/lambda/latest/dg/with-scheduled-events.html
Related
I'm using Terraform to allocate a Lambda function that's triggered by a request to an API Gateway on AWS. Here's my .tf file:
dsf
This correctly sets up the Lambda function, but something is off with the API Gateway. When I curl with the output URL (https://cqsso4fw67.execute-api.us-east-1.amazonaws.com), it gives me the following:
curl https://cqsso4fw67.execute-api.us-east-1.amazonaws.com/
{"message":"Internal Server Error"}%
If I manually remove this API Gateway and create a new one from the AWS Console within the Lambda function and run curl again, I get "SUCCESS!" (which is what my Lambda should do).
smf
Any ideas how I can fix the .tf file to correctly setup the API Gateway trigger?
Here are the differences between the one created in AWS and the one provisioned in Terraform. Terraform one is at the top.
The TF code that you showed is correct. Most likely reason for the failure is your lambda function, which you haven't showed. You have to inspect lambda function logs in CloudWatch to check why it fails.
Edit:
The function should return:
return {
'statusCode': 200,
'body': 'SUCCESS'
}
If anyone comes across this issue, I managed to fix it by greatly simplifying things. I switched out all the API Gateway clauses in the Terraform file with just:
resource "aws_apigatewayv2_api" "apigw-terraform" {
name = "terraform-api"
protocol_type = "HTTP"
target = aws_lambda_function.w-scan-terraform.arn
}
The tutorial I was following had implemented something more complex than what I needed.
I'm attempting to set up a Cloudwatch Event Rule to notify on any AWS IAM actions like DeleteUser or CreateUser. But when I tried to create an event pattern I couldn't find IAM in the service Name list even though when I searched in the AWS documentation i cant's find a mention of IAM not being supported by Cloudwatch event rules. So I tried to create a custom event but i didn't receive any email from SNS (my target), and yes I made sure cloudwatch has permissions to invoke SNS as we already have other working events, any idea on why this is not working ?
{
"source":[
"aws.iam"
],
"detail-type":[
"AWS API Call via CloudTrail"
],
"detail":{
"eventSource":[
"iam.amazonaws.com"
],
"eventName":[
"CreateUser",
"DeleteUser"
]
}
}
I figure it out, IAM emits cloudtrail events only in us-eas-1 and I'm using a different region, it worked when I created the Cloudwatch event in N. Virgenia
The source parameter needs to be "aws.cloudtrail" not "aws.iam".
IAM policy is a global service. It can only report in US-East-1(N.Virginia).
I have same exact config and the region is same as well but creating a new user still don't trigger the event as there is event in clouldtrail as well as in the monitoring of the event rule created. I see that they say in document that cloudtrail has to be enabled but when I create a rule for security group modification which is ec2 events then it is working fine but not with iam one. Is there any permission that I am missing for aws events to send logs to clould trail , if so how did you guys resolved it.
In the AWS Lambda management console you can have test events associated with a function.
Is it possible to configure the test events when deploying the Lambda function using the AWS CDK such that the test events are ready to use when someone later views the function in the management console?
That is not possible at the moment as CloudFormation itself does not support this (see this answer). You can, as mentioned in the linked post, use a CloudFormation CustomResource to prepare the invocation.
Another option is to create a output that prepares a cli command with payload. So that you can just copy past the generated call aws lambda invoke --function-name {PopulateFromCDK} --payload '{"key": "value"}'
Since AWS has enabled to have CodeCommit, CodeDeploy,... now available also in other regions, I have decided to move some of those services from eu-west-1 to eu-central-1, closer to home.
In the existing setup, I have created a lambda function which gets triggered when a commit is pushed to a CodeCommit repo and sends a nice notification about it to our Slack channel. It works, great.
But now, when I've tried to recreate the same functionality in eu-central-1 (Frankfurt), I got stuck.
I can't seem to create a trigger for CodeCommit to trigger a Lambda function. I've tried in some other regions and it works flawlessly.
I know that:
the rights, roles, policies and permissions are setup correctly
it works in other regions
the code commit item is missing from the list of triggers when you create a Lambda function
If I try to create a trigger the other way around, starting from the code commit side, I get an error:
AWS CodeCommit does not have access to the destination or the destination does not exist.
Any idea if triggering has been forgotten during the implementation of CodeCommit in eu-central-1 or are there any other tricks I can try to get this working?
Thank you!
I believe the issue is that your Lambda function may be missing a policy which allows CodeCommit to invoke your function. If your new lambda function does not specify CodeCommit as a principal, they will not be able to invoke your function.
Usually, the easiest way to have this policy is by setting up your trigger in the Lambda console. Unfortunately, because CodeCommit is newly launched in these regions, this quick setup is not yet available. However, you can still follow the manual setup steps outlined here: http://docs.aws.amazon.com/codecommit/latest/userguide/how-to-notify-lambda-cc.html#how-to-notify-lam-perm
TLDR:
Create a json file 'AllowAccessfromMyDemoRepo.json':
{
"FunctionName": "MyCodeCommitFunction",
"StatementId": "1",
"Action": "lambda:InvokeFunction",
"Principal": "codecommit.amazonaws.com",
"SourceArn": "arn:aws:codecommit:eu-central-1:80398EXAMPLE:MyDemoRepo",
"SourceAccount": "80398EXAMPLE"
}
Run Lambda add-permission api:
aws lambda add-permission --cli-input-json file://AllowAccessfromMyDemoRepo.json
It's simply not yet available at Frankfurt. maybe give a try in Ireland instead?
Unable to create a recurring schedule for lambda.
What I did:
1) Created the function and successfully tested it.
2) Went to event source section in the AWS mgmt console.
3) clicked on add event source.
4) with default settings of rate(5 minutes) clicked on submit.
Got the error:
There was an error creating the event source mapping: Could not create
scheduled-event event source
I went through the docs and ran this statement via AWS CLI:
aws lambda add-permission --statement-id Allow-scheduled-events --action lambda:InvokeFunction --principal events.amazonaws.com --function-name function:myfunction
The above statement went through successfully, I tried running it again and it said the permission already exists confirming that it ran.
I tried adding the schedule again but got the same error.
Am i supposed to change the role or something? Can't anything else in the docs. The lambda is running with basic lambda execution role.
UPDATE
I temporarily gave the role under which the Lambda is executing admin access, still the same error.
Workaround
FYI... for people facing this problem, I could achieve the same result by going to cloudwatch and adding an event targeting lambda from there... same thing, that still does not answer this question though. I cant imagine that AWS console has such a gaping bug that they aren't doing anything about.
In my case my Lambda and S3 were not in the same region. I found out by, instead of adding the trigger on the Lambda, adding the event from s3.