AWS Pinpoint Custom Channel: Could not properly invoke Lambda function specified in hook

Question

I'm attempting to create a (beta) Custom Channel for my AWS Pinpoint Project by setting up a CampaignHook that executes a Lambda Function as per the example documentation.

My lambda function seems to work correctly on its own. However, when I get to the point where I am pointing the CampaignHook to the lambda function I am getting this error:

> aws lambda add-permission --function-name arn:aws:lambda:us-east-1:my-account-id:function:MyFunctionName \
    --statement-id s1 \
    --action lambda:InvokeFunction \
    --principal pinpoint.us-east-1.amazonaws.com \
    --source-arn 'arn:aws:mobiletargeting:us-east-1:my-account-id:/apps/my-pinpoint-project-id/campaigns/*'
=> 
{
    "Statement": "{\"Sid\":\"s1\",\"Effect\":\"Allow\",\"Principal\": {\"Service\":\"pinpoint.us-east-1.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:my-account-id:function:MyFunctionName\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:mobiletargeting:us-east-1:my-account-id:/apps/my-pinpoint-project-id/campaigns/*\"}}}"
}

> aws pinpoint update-application-settings \
    --application-id my-pinpoint-project-id \
    --write-application-settings-request '{\"CampaignHook\": { \"LambdaFunctionName\": \"arn:aws:lambda:us-east-1:my-account-id:function:MyFunctionName\", \"Mode\": \"DELIVERY\" }}'

=> An error occurred (BadRequestException) when calling the UpdateApplicationSettings operation: Could not properly invoke Lambda function specified in hook.

My function is in C#, and the handler's signature is:

public async Task<String> FunctionHandler(Object evt, ILambdaContext context)

Any idea what the error message means? I'm not sure if it's a permissions issue or if there's a problem with the command itself.

Answer 1

I encountered this error while trying to create a Pinpoint project campaign hook in the CDK/Typescript.

This is the syntax that worked for me:

pinpointProjectCampaignHookLambda.addPermission('pinpointProjectCampaignHookLambdaInvocation', {
    principal: new iam.ServicePrincipal(`pinpoint.${myRegion}.amazonaws.com`),
    action: 'lambda:InvokeFunction',
    sourceArn: `arn:aws:mobiletargeting:${myRegion}:${myAccount}:apps/${pinpointProject.ref}/campaigns/*`, // All Pinpoint campaigns in account.
    sourceAccount: myAccount
});

And the resource policy generated for the Lambda function matches the AWS documentation below.

"To write a more generic policy, use a multicharacter match wildcard (*). For example, you can use the following Condition block to allow any campaign in a specific Amazon Pinpoint project (application-id) to invoke the function:"

"Condition": {
  "StringEquals": {
    "AWS:SourceAccount": "111122223333"
  },
  "ArnLike": {
    "AWS:SourceArn": "arn:aws:mobiletargeting:us-east-1:account-id:apps/application-id/campaigns/*"
  }
}

Answer 2

The best way to use the arn for custom channel is :

arn:aws:mobiletargeting:us-east-1:account-id:/apps/*

This works for me!!

Answer 3

A Pinpoint project's SourceARN should look like this:

arn:aws:mobiletargeting:us-east-1:my-account-id:/apps/my-pinpoint-project-id

I was mistakenly adding a wildcard for a campaign ARN. The correct command is:

aws lambda add-permission --function-name arn:aws:lambda:us-east-1:my-account-id:function:MyFunctionName \
    --statement-id s1 \
    --action lambda:InvokeFunction \
    --principal pinpoint.us-east-1.amazonaws.com \
    --source-arn 'arn:aws:mobiletargeting:us-east-1:my-account-id:/apps/my-pinpoint-project-id'