2

In my CDK code, I've created a Lambda function that I want to create an EventBridge target. When creating an EventBridge target in the Lambda, I need to pass a RoleArn. I've attempted to create this role and pass the ARN to the Lambda function.

When the Lambda runs, I get the following error:

ValidationException: RoleArn is not supported for target arn:aws:lambda:eu-central-...

I'm creating the rule like so:

const actionFunctionRole = new iam.Role(this, `ActionServiceRole`, {
  assumedBy: new iam.ServicePrincipal('events.amazonaws.com'),
})

actionFunctionRole.addToPolicy(
  new iam.PolicyStatement({
    resources: ['*'],
    actions: ['events:*', 'lambda:*'],
  })
)

In the Lambda function, I'm using the role ARN like so:

await eventBridge
  .putTargets({
    Rule: `USER_EVENT_${images.new.userId.S}_${images.new.eventId.S}`,
    Targets: [
      {
        Arn: actionFunctionArn,
        Id: `USER_EVENT_TARGET_${images.new.userId.S}_${images.new.eventId.S}`,
        Input: '{"a": 123, "b": "YES"}',
        RoleArn: actionFunctionRoleArn,
      },
    ],
  })
  .promise()

What is wrong with my role definition that is making it fail within the Lambda?

Fisu
  • 3,294
  • 9
  • 39
  • 61

1 Answers1

1

For lambda as target you can't use IAM role. Instead you must specify resource-based policy for your lambda function.

In other words, you have to set your function's resource-based policy (not execution role, these are different), to allow EB to invoke it.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Thanks, I'm confused why if I cannot use an IAM role, then why does EB target require a `RoleArn`? If this is not an IAM role, what is it meant to be? – Fisu Aug 15 '21 at 05:55
  • 1
    @Fisu Normally Role is not required for the target. Did you try without it? Do you get required error? – Marcin Aug 15 '21 at 05:58
  • Ah yes, I thought that it was a required property, but it is not. Removing it has fixed the issue. Many thanks! – Fisu Aug 15 '21 at 13:24