InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

jnmullen · 2018-08-13T20:24:23Z

Trying wire up an EventRule as an input/trigger to a Lambda function but the permission to allow Cloudwatch to invoke the Lambda is not being added automatically.

e.g. would expect the following to add the permission automatically but doesn't

       const lambdaFunction = new lambda.Lambda(this, 'lambdaFunction', {
            code: new lambda.LambdaS3Code(bucket, 'lambda-cloudwatch-triggered.zip'),
            runtime: lambda.LambdaRuntime.NodeJS810,
            handler: 'index.handler',
            functionName: 'my-cdk-lambda-function'
        });

        const rule = new events.EventRule(this, 'Rule', {
            scheduleExpression: 'cron(0 0 * * ? *)',
        });
        rule.addTarget(lambdaFunction);

Have to add this code in to get the permission added:

        lambdaFunction.addPermission('allowCloudWatchInvocation', {
            principal: new ServicePrincipal('events.amazonaws.com'),
            sourceArn: rule.ruleArn
        });

Output from cdk synth shows this:

    lambdaFunctionInvokedByCloudWatchB3D0554C:
        Type: 'AWS::Lambda::Permission'
        Properties:
            Action: 'lambda:InvokeFunction'
            FunctionName:
                Ref: lambdaFunction940E68AD
            Principal: events.amazonaws.com

@eladb suspected in a gitter chat this was because the sourceArn is missing.

The text was updated successfully, but these errors were encountered:

Lambda permissions granted when it was added as an event rule target did not include "SourceArn" as required. This allowed any event rule to trigger the function, and also did not show as a trigger in the AWS Lambda console. Added a integration test to verify. BREAKING CHANGE To fix this, we needed to modify `IEventRuleTarget` to pass the ARN of the rule and a unique ID to the registered target in order to allow it to specify the Source ARN. This required fixing all existing event rule targets (which, so far would return a role to be assumed by CWE, so the source ARN was not required). Fixes #555

JoshM1994 · 2019-12-13T22:14:58Z

I think this is also an issue for an Iot CfnTopicRule event trigger

The IoT rule is created but does not trigger the lambda. After clicking "edit" on the IoT rule and saving the "changes", the function policy in Lambda is updated which allows the rule to trigger. I guess it's because there is not IoT event in lambda-event-sources

eladb self-assigned this Aug 14, 2018

eladb added bug This issue is a bug. security-issue labels Aug 14, 2018

eladb mentioned this issue Aug 14, 2018

Lambda: Fix CloudWatch event rule permissions #558

Merged

eladb closed this as completed in #558 Aug 14, 2018

JoshM1994 mentioned this issue Dec 13, 2019

support lambda actions for IoT topic rules #5420

Closed

sumodgeorge mentioned this issue Jun 20, 2023

[Snyk] Fix for 1 vulnerabilities sumodgeorge/aws-cdk#1

Open

SNYKabbott mentioned this issue Jun 22, 2023

[Snyk] Fix for 1 vulnerabilities SNYKabbott/aws-cdk#27

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

jnmullen commented Aug 13, 2018

JoshM1994 commented Dec 13, 2019

InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

InvokePermission not automatically added to Lambda when triggered via Cloudwatch Rule #555

Comments

jnmullen commented Aug 13, 2018

JoshM1994 commented Dec 13, 2019