serverless-plugin-aws-alerts icon indicating copy to clipboard operation
serverless-plugin-aws-alerts copied to clipboard

Published 20 hours ago verified publisher icon ACloudGuru

Topics have no permissions to invoke lambda

Open sylwit opened this issue 7 years ago • 3 comments
trafficstars

This is a Bug Report

Description

For bug reports:

  • What went wrong?

if you want a notification to call a lambda, the topic doesn't have permission to invoke it

  • What did you expect should have happened?

Topic should be able to invoke the lambda defined in notification

  • What was the config you used?
custom:
    notifications:
      - protocol: email
        endpoint: [email protected]
      - protocol: lambda
        endpoint:
          Fn::Join:
            - ":"
            - - "arn:aws:lambda"
              - Ref: "AWS::Region"
              - Ref: "AWS::AccountId"
              - "function"
              - ${self:service}-${self:provider.stage}-snsToSlack
  • What stacktrace or error message from your provider did you see?

No error

For feature proposals:

  • What is the use case that should be solved. The more detail you describe this in the easier it is to understand for us.
  • If there is additional config how would it look

Similar or dependent issues:

Additional Data

  • Serverless Framework Version: 1.25
  • Stack Trace:
  • Provider Error messages:

Subscribing a lambda to a topic isn't enough to make it invokable. Topic must also have permission to call lambda. Here are some readings that helped me to figure out the problem https://iangilham.com/2016/03/22/Sns-trigger-lambda-via-cloudformation.html (Permission for the Topic to invoke the Lambda), https://aws.amazon.com/blogs/mobile/invoking-aws-lambda-functions-via-amazon-sns/ (Preparing the Lambda function for invocation)

I was going to make a PR, instead I ended up adding events to my lambda as so:

  snsToSlack:
    handler: snsToSlack.handler
    runtime: nodejs6.10
    package:
      include:
        - snsToSlack.js
    events:
      - sns:
          topicName: ${self:custom.prefix}-alerts-ok
          arn:
            Fn::Join:
              - ":"
              - - "arn:aws:sns"
                - Ref: "AWS::Region"
                - Ref: "AWS::AccountId"
                - ${self:custom.prefix}-alerts-ok

      - sns:
          topicName: ${self:custom.prefix}-alerts-alarm
          arn:
            Fn::Join:
              - ":"
              - - "arn:aws:sns"
                - Ref: "AWS::Region"
                - Ref: "AWS::AccountId"
                - ${self:custom.prefix}-alerts-alarm

sylwit avatar Jan 16 '18 19:01 sylwit

Any way around this? I dont really want to plug my sns topics in the lambdas, because there are lots of them.

rodrigogs avatar Apr 10 '21 03:04 rodrigogs

We need to update the plugin so that when there is a lambda as protocol, appropriate iam permission is also added. Happy for someone to create a PR for this.

adikari avatar Apr 11 '21 00:04 adikari

I really need it, so I can put some effort to develop this feature. If anybody could help me to figure out the best way, it would be great.

rodrigogs avatar Apr 12 '21 12:04 rodrigogs