3

I am utilizing Eventbridge API Destination to call my lambda function's url and throttle it to my desired rate. This works when the lambda function's invoke-url auth type is set to None. When I set the function Url auth type to AWS_IAM and create a resource-based invoke function url policy, it doesn't work.

I've tried setting the policy's principal to

  1. the account root
  2. the eventbridge role arn
  3. the eventBridgeApiDestinations service role arn (arn:aws:iam::xxxxxxxxx:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations)

None of the above work. Not sure what I'm doing wrong here or if it's even possible to do this.

Policy statement details

Statement ID
invoke-from-event-bridge-rule
Principal
arn:aws:iam::xxxxxxx:role/< my eventBridge role >
Effect
Allow
Action
lambda:InvokeFunctionUrl
Conditions
{
 "StringEquals": {
  "lambda:FunctionUrlAuthType": "AWS_IAM"
 }
}
Http417
  • 71
  • 6

1 Answers1

0

From the documentation:

Amazon EventBridge API destinations are HTTP endpoints that you can invoke as the target of a rule, similar to how you invoke an AWS service or resource as a target.

When you have EventBridge invoke your Lambda in this way, EventBridge doesn't know it is invoking a Lambda function. It doesn't even know it is invoking an AWS service. It is treating it the same as it would a third-party "webhook" external to AWS. It is not going to sign the HTTP request with AWS IAM credentials.

I suggest using a standard AWS Lambda invocation from EventBridge, instead of an HTTP endpoint invocation.

Mark B
  • 183,023
  • 24
  • 297
  • 295