CODEWITHSUNDEEP
aws-lambdaaws-cloudformation
user1951756
user1951756

Reputation: 511

CloudFormation Permission Denied for Config Attempting to Invoke Lambda

I am attempting to create a CloudFormation Template which creates an AWS Config rule which will invoke a lambda function but I am having trouble with giving the Config rule permissions invoke the lambda. The name of the config rule is testConfigRule and the name of the lambda it is trying to invoke is testLambda. My AWs::Lambda::Permission looks like this...

    "lambdaInvokePermission": {
        "Type": "AWS::Lambda::Permission",
        "Properties": {
            "FunctionName": {
                "Fn::GetAtt": [
                    "testLambda",
                    "Arn"
                ]
            },
            "SourceArn": {
                "Fn::GetAtt": [
                    "testConfigRule",
                    "Arn"
                ]
            },
            "Action": "lambda:InvokeFunction",
            "Principal": "config.amazonaws.com"
        },
        "DependsOn": [
            "testConfigRule"
        ]
    },

but I keep get the following error...

The AWS Lambda function arn:aws:lambda:us-east-2:1234567:function:testLambda cannot be invoked. Check the specified function ARN, and check the function's permissions.

If I take out the SourceArn it works but I want to limit the Permission to the one config rule.

Currently, the CFT is...

  1. Creating the lambda
  2. Creating the Config rule
  3. Creating the Permission for the Config rule to invoke the lambda

It seems to fail when it tries to test the Config rule's invoking of the lambda after the Config is created and before the Permission is created so it inevitably fails with the permissions error.

Is there anyway to prevent the testing of the Config rule until after the Permission is created?

Upvotes: 1

Views: 864

Answers (1)

user7401700
user7401700

Reputation:

You must leave out the SourceArn as you said as it's not meant for all sources, actually only 2 at time of writing (S3 and SES).

As it says here

This property is not supported by all event sources. For more information, see the SourceAccount parameter for the AddPermission action in the AWS Lambda Developer Guide.

Checking the api:

This parameter is used for S3 and SES.

Upvotes: 1

Related Questions