- Newest
- Most votes
- Most comments
Hi,
I went down so many rabbit holes on this one :-)
To get this to work, all you need to do is remove:
SourceAccount: !Ref AWS::AccountId
So, your ALBLamdaPermission should look like the following and it will get to CREATE_COMPLETE.
ALBLambdaPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt MyFunction.Arn
Principal: elasticloadbalancing.amazonaws.com
-randy
This is not recommended by AWS: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#prepare-lambda-function
We recommend that you include the --source-arn parameter to restrict function invocation to the specified target group.
So then, what is recommended, I have an identical setup but my "SourceArn" is the target group (because that's what aws docs said to do).
But I am receiving the same error...
Lambda perms:
AlbInvokePermission:
DependsOn:
- Function
- TargetGroup
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Sub '${Function.Arn}'
Action: 'lambda:InvokeFunction'
Principal: elasticloadbalancing.amazonaws.com
SourceArn: !Ref TargetGroup
Yes, I know that removing the SourceArn will "resolve" this issue, but will allow blanket access from ANY alb, which I definitely do not want.
Error:
elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke {lambda _arn} from target group {target_group_arn}
Edited by: HarryCaveMan on Jan 8, 2020 11:51 AM
Edited by: HarryCaveMan on Jan 8, 2020 11:54 AM
Edited by: HarryCaveMan on Jan 8, 2020 11:56 AM
Edited by: HarryCaveMan on Jan 8, 2020 12:00 PM
So the issue I was having assigning my target group was due to a circular dependency between the target group and the lambda permission. I was able to work around this by naming the target group then building the arn as a string in the lambda permission:
AlbInvokePermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Sub '${Function.Arn}'
Action: 'lambda:InvokeFunction'
Principal: elasticloadbalancing.amazonaws.com
SourceArn: !Sub 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/TargetGroupName/*'
With this target group definition:
TargetGroup:
DependsOn:
- AlbInvokePermission
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
Name: TargetGroupName
TargetType: lambda
Targets:
- Id: !Sub '${Function.Arn}'
For me, named TargetGroup has some random integer after it's name in ARN (I've named TargetGroup after it was created, in subsequent CFN template updates).
edit: nevermind, I've noticed the asterisk at the end (aws forum text url-encoding "feature" does not help to see details here).
edit2: unfortunately, asterisk does not work for me. Might be, not only for me: https://stackoverflow.com/questions/56347601/aws-can-lambda-permission-policy-have-a-source-from-target-group-with-wildcards
Edited by: askarkalykov on Apr 17, 2020 1:35 AM
Edited by: askarkalykov on Apr 17, 2020 1:46 AM
hey any solution for this because I don't want to add this after everything created in cloudformation and I guess it is a bad practice so eagerly waiting for a way to avoid this circular dependency problem so we can directly target the ref
Relevant content
- Accepted Answerasked 3 years ago
- asked a month ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago