AWS Cloudformation - Invocation of Lambda by Rule Event failed

Question

I tried to create a template in cloudformation, having a lambda function triggered by one cloudwatch event rule(every 10minutes). In the cloudwatch graph, I can see the invocations but also all failedinvocation. I believe it is an problem of role of the rule but I can't figure out it.

Here is my template that you can see in the cloudformation designer.

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Metadata": {
        "AWS::CloudFormation::Designer": {
            "d1498a15-7d12-4ec9-bba6-3ba163574a10": {
                "size": {
                    "width": 60,
                    "height": 60
                },
                "position": {
                    "x": 450,
                    "y": 90
                },
                "z": 1,
                "embeds": []
            },
            "afe4f2cd-0634-4114-8327-1ecf60933475": {
                "size": {
                    "width": 60,
                    "height": 60
                },
                "position": {
                    "x": 310,
                    "y": 90
                },
                "z": 1,
                "embeds": [],
                "isrelatedto": [
                    "d1498a15-7d12-4ec9-bba6-3ba163574a10"
                ]
            },
            "c7843bb1-3134-44e7-9463-f9054118e52b": {
                "size": {
                    "width": 60,
                    "height": 60
                },
                "position": {
                    "x": 150,
                    "y": 90
                },
                "z": 1,
                "embeds": [],
                "isrelatedto": [
                    "afe4f2cd-0634-4114-8327-1ecf60933475",
                    "40b5efaf-5cdd-449e-9155-177461dd4d8e"
                ]
            },
            "ef4c0b58-6bb9-46c2-a4b4-64260aa2b35d": {
                "size": {
                    "width": 60,
                    "height": 60
                },
                "position": {
                    "x": 310,
                    "y": -30
                },
                "z": 1,
                "embeds": []
            },
            "40b5efaf-5cdd-449e-9155-177461dd4d8e": {
                "size": {
                    "width": 60,
                    "height": 60
                },
                "position": {
                    "x": 310,
                    "y": -40
                },
                "z": 0,
                "embeds": [],
                "isrelatedto": [
                    "afe4f2cd-0634-4114-8327-1ecf60933475"
                ]
            }
        }
    },
    "Resources": {
        "IAMR3JNYX": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "lambda.amazonaws.com"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
                ],
                "Policies": [
                    {
                        "PolicyName": "s3BackupBucket",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "s3:*"
                                    ],
                                    "Resource": {
                                        "Fn::Join": [
                                            "",
                                            [
                                                "*"
                                            ]
                                        ]
                                    }
                                },
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "s3:*"
                                    ],
                                    "Resource": {
                                        "Fn::Join": [
                                            "",
                                            [
                                                "*"
                                            ]
                                        ]
                                    }
                                },
                                {
                                    "Action": [
                                        "logs:CreateLogGroup",
                                        "logs:CreateLogStream",
                                        "logs:PutLogEvents"
                                    ],
                                    "Effect": "Allow",
                                    "Resource": "arn:aws:logs:*:*:*"
                                }
                            ]
                        }
                    }
                ]
            },
            "Metadata": {
                "AWS::CloudFormation::Designer": {
                    "id": "d1498a15-7d12-4ec9-bba6-3ba163574a10"
                }
            }
        },
        "ER1SCU1": {
            "Type": "AWS::Events::Rule",
            "Properties": {
                "Description": "launch the lambda function every 10min",
                "Name": "eachDay",
                "ScheduleExpression": "cron(0/10 * ? * * *)",
                "State": "ENABLED",
                "RoleArn": {
                    "Fn::GetAtt": [
                        "IAMR25JO4",
                        "Arn"
                    ]
                },
                "Targets": [
                    {
                        "Arn": {
                            "Fn::GetAtt": [
                                "CreateBackUp",
                                "Arn"
                            ]
                        },
                        "Id": "CreateBackUp"
                    }
                ]
            },
            "Metadata": {
                "AWS::CloudFormation::Designer": {
                    "id": "c7843bb1-3134-44e7-9463-f9054118e52b"
                }
            }
        },
        "CreateBackUp": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
                "Handler": "index.handler",
                "Runtime": "nodejs4.3",
                "Timeout": "76",
                "Role": {
                    "Fn::GetAtt": [
                        "IAMR3JNYX",
                        "Arn"
                    ]
                },
                "Code": {
                    "ZipFile": {
                        "Fn::Join": [
                            "",
                            [
                                "my function ..."
                            ]
                        ]
                    }
                }
            },
            "Metadata": {
                "AWS::CloudFormation::Designer": {
                    "id": "afe4f2cd-0634-4114-8327-1ecf60933475"
                }
            }
        },
        "IAMR25JO4": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": "events.amazonaws.com"
                            },
                            "Action": "sts:AssumeRole"
                        }
                    ]
                },
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
                ],
                "Policies": [
                    {
                        "PolicyName": "InvokeBackUpLambda",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "lambda:*"
                                    ],
                                    "Resource": {
                                        "Fn::GetAtt": [
                                            "CreateBackUp",
                                            "Arn"
                                        ]
                                    }
                                },
                                {
                                    "Action": [
                                        "logs:CreateLogGroup",
                                        "logs:CreateLogStream",
                                        "logs:PutLogEvents"
                                    ],
                                    "Effect": "Allow",
                                    "Resource": "arn:aws:logs:*:*:*"
                                }
                            ]
                        }
                    }
                ]
            },
            "Metadata": {
                "AWS::CloudFormation::Designer": {
                    "id": "40b5efaf-5cdd-449e-9155-177461dd4d8e"
                }
            }
        }
    }
}

What is the exact error message? The invocation could fail because of your node code - you can create a 'hello world' function and ensure that works, plug that into your template and see what happens then. — Raf, May 31 '17 at 07:45
My function is ok I think because, I already created (manually - without cloudformation) the event linked to the same function and the same rules. I can't see the error message ... When I create the stack cloudformation, I tried to test the function and it is working (copy one file from one bucket to an other). — DionysoSong, May 31 '17 at 07:49
There is no error logs from the lambda, I just looked at it. It can only come from the trigger/event/rule ? — DionysoSong, May 31 '17 at 08:11

score 8 · Accepted Answer · edited Jul 10 '20 at 07:30

8

It's a little late, but the basic issue here is that you're missing an entry for the AWS::Lambda:Permission. You need to create an entry that allows your event rule to invoke your lambda like so (I prefer yaml, but you get the idea):

LambdaInvokePermission:
  Type: "AWS::Lambda::Permission"
  Properties:
    FunctionName: !GetAtt
      - CreateBackUp
      - Arn
    Action: 'lambda:InvokeFunction'
    Principal: events.amazonaws.com
    SourceArn: !GetAtt
      - ER1SCU1
      - Arn

edited Jul 10 '20 at 07:30

j0k

22,600
28
79
90

answered Mar 15 '18 at 21:57

nhoel

96
1
2

1

I am confused about when to use permissions vs. roles. Initially, I tried to create a role with a policy allowing it to invoke my lambda function, and assign the role to the events.amazonaws.com principal. This did not work, but your solution to create a lambda permission did work. – superlazy Nov 27 '19 at 20:02
@superlazy cannot be more messy. Permissions, roles, policies, documents, statements, principals, trusted relationships,.....cannot be worse in my opinion, aws would be 50% easier if just simplify this chaos, there is even a simulator of permissions, that says all – Francisco Albert Feb 15 '22 at 10:25

AWS Cloudformation - Invocation of Lambda by Rule Event failed

1 Answers1

Linked