2

I am trying to associate a Lambda@Edge Function using the AWS Go SDK.

  1. Creating the Function by hand in the console and assigning it to the Cloudfront distro using the SDK => works.

  2. Creating the Function (using the same IAM role from 1.) in the code w/o assigning to cloudfront => works.

  3. Assigning the created function from 2. by hand in the console => fails.

  4. Assigning the created function from 2. via the SDK => fails.

  5. Deploying the created function from 2. by hand in the lambda console (Actions => deploy to lambda@edge) => works. => after this the function can be assigned by hand and by code w/o problems...

The error in 3. and 4. is the same:

InvalidLambdaFunctionAssociation: Lambda@Edge cannot retrieve the specified Lambda function. Update the IAM policy to add permission: lambda:GetFunction for resource: arn:aws:lambda:us-east-1:123456789:function:example:1 and try again.

What confuses me is that I am reusing the same role that was created during 1.

This is how I create the function by code:

lam := lambda.New(session)
lam.CreateFunction(&lambda.CreateFunctionInput{
    FunctionName: aws.String("example"),
    Handler:      aws.String("index.handler"),
    Runtime:      aws.String("nodejs12.x"),
    Role:         aws.String("arn:aws:iam::123456:role/service-role/existing-role"),
    Code: &lambda.FunctionCode{
        S3Bucket: aws.String("bucket-xyz"),
        S3Key:    aws.String("source.zip"),
    },
}) // works w/o issues

lam.AddPermission(&lambda.AddPermissionInput{
    FunctionName: aws.String("example"),
    StatementId:  aws.String("AllowExecutionFromCloudFront"),
    SourceArn:    aws.String("arn:aws:cloudfront::12333456:distribution/CDNID1234"),
    Principal:    aws.String("edgelambda.amazonaws.com"),
    Action:       aws.String("lambda:GetFunction"),
}) // also works w/o error

// assigning the created lambda function would now fail

using

go 1.13

github.com/aws/aws-sdk-go v1.31.8

SlootSantos
  • 363
  • 1
  • 2
  • 10
  • Out of curiosity, does it help if you add a delay between adding the permission and assigning the function? I'd try up to 5 minutes in case there is an eventual consistency issue. – Ben Whaley Jun 10 '20 at 19:10
  • @BenWhaley good point.. happens often w/ AWS.. but yes I did try delaying it.. Still no luck. – SlootSantos Jun 10 '20 at 20:12

2 Answers2

4

I found the issue.

The error has absolutely nothing to do with the actual problem. Very misleading error if you ask me.

All that's been missing is a published version of the lambda function at hand.

To achieve that using the Go SDK you have to do:

lam := lambda.New(session)
lam.PublishVersion(&lambda.PublishVersionInput{
        FunctionName: aws.String("example"),
        Description:  aws.String("Dont forget to publish ;)"),
    })

using the CLI you would want to do the following:

aws lambda publish-version --function-name example --description "Dont forget to publish"

It actually makes sense that you cannot use a function that hasn't been published. However the error from AWS didn't really help there.

Hopefully this can help anybody!

SlootSantos
  • 363
  • 1
  • 2
  • 10
0

This error occurred for me because the IAM user didn't have adequate permissions to access versions of the Lambda function.

  • Before (only one resource specifying the Lambda function):

    arn:aws:lambda:<region>:*:function:<function_name>
    
  • After (additional wildcard resource for versions of the Lambda function):

    arn:aws:lambda:<region>:*:function:<function_name>
    arn:aws:lambda:<region>:*:function:<function_name>:*
    
sdgluck
  • 24,894
  • 8
  • 75
  • 90