0

I'm trying to use CLI, and Ansible to deploy a CloudFront instance with attached Lambda / Lambda@Edge functions. But I'm running into the following error:

Lambda@Edge cannot enable replication for the specified Lambda function. Update the IAM policy to add permission: lambda:EnableReplication* for resource: arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1 and try again.

The documentation does say that I need lambda:EnableReplication*, but when I try to add the permissions to the lambda function via this command:

aws lambda add-permission --function-name FUNCITONNAME:1 --action "lambda:EnableReplication*" --statement-id something --principal "*" --output text

I get the following error:

An error occurred (ValidationException) when calling the AddPermission operation: 1 validation error detected: Value 'lambda:EnableReplication*' at 'action' failed to satisfy constraint: Member must satisfy regular expression pattern: (lambda:[*]|lambda:[a-zA-Z]+|[*])

How am I suppose to add these permissions do that this can be successful, what am I doing wrong here?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Trihedron
  • 246
  • 2
  • 14

3 Answers3

0

Hi I ran into the same issue, and took me sometime to figured out. I started trying as you did with aws lambda add-permission (role based policy). But the permissions you need to add like lambda:Enablereplication* should not be added to resource base policy but should be added to excecution role (if you're running from a lambda like my case) or to user if you're using CLI (like I think is your case) Hope this help! :)

chamix
  • 133
  • 1
  • 7
0

The error that comes back from AWS is not quite correct. Here is a working example.

aws lambda add-permission \
  --function-name "name-of-your-function" \
  --action "lambda:EnableReplication" \
  --statement-id "lambda_enable_replication" \
  --principal "*" \
  --output text

You can also accomplish this with CloudFormation.

EdgeAuthEnableReplicationPermission:
  Type: AWS::Lambda::Permission
  Properties:
    Action: "lambda:EnableReplication"
    FunctionName: !Ref FunctionResource
    Principal: "*"
Jarrett Meyer
  • 19,333
  • 6
  • 58
  • 52
0

The error message is incorrect. As per the documentation, you need to add the lambda:EnableReplication* permission to:

  • arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME

rather than to:

  • arn:aws:lambda:us-east-1:ACCOUNTNUMBER:function:FUNCTIONNAME:1

Notice that the replication permission should go on the function itself rather than on a particular version of the function.

David Foster
  • 6,931
  • 4
  • 41
  • 42