Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS SNS ought to trigger my lambda, but does not

Tags:

I have an AWS lambda function that I created via apex. I've also created a SNS topic and a subscription through terraform.

My topic is: arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions

I have a subscription: arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions:2da1d182-946d-4afd-91cb-1ed3453c5d86 with a lambda type and the endpoint is: arn:aws:lambda:ap-southeast-1:178284945954:function:wowauctions_get_auction_data

I've confirmed this is the correct function ARN. Everything seems wired up correctly:

SNS picture

I trigger SNS manually:

aws sns publish    --topic-arn arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions    --message '{"endpoint": "https://us.api.battle.net", "realm": "spinebreaker"}' 

It returns the message ID but no invocation happens. Why?

like image 476
Kit Sunde Avatar asked Sep 25 '16 16:09

Kit Sunde


2 Answers

I added an inline policy to allow the lambda to be invoked:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "Stmt1474873816000",             "Effect": "Allow",             "Action": [                 "lambda:InvokeFunction"             ],             "Resource": [                 "arn:aws:lambda:ap-southeast-1:178284945954:function:wowauctions_get_auction_data"             ]         }     ] } 

And it's now working.

like image 137
Kit Sunde Avatar answered Oct 08 '22 02:10

Kit Sunde


The SNS topic needs to have the permission to invoke the Lambda.

Here is an example how you can express that in Terraform:

# Assumption: both SNS topic and Lambda are deployed in the same region # resource "aws_sns_topic" "instance" { ... } # resource "aws_lambda_function" "instance" {... }  # Step 1: Allow the SNS topic to invoke the Lambda resource "aws_lambda_permission" "allow_invocation_from_sns" {   statement_id  = "AllowExecutionFromSNS"   action        = "lambda:InvokeFunction"   function_name = "${aws_lambda_function.instance.function_name}"   principal     = "sns.amazonaws.com"   source_arn    = "${aws_sns_topic.instance.arn}" }  # Step 2: Subscribe the Lambda to the SNS topic resource "aws_sns_topic_subscription" "instance" {   topic_arn = "${aws_sns_topic.instance.arn}"   protocol  = "lambda"   endpoint  = "${aws_lambda_function.instance.arn}" } 

Some general tips for troubleshooting this problem (a Lambda not being fired):

  1. Does my message arrive at the Lambda? -- Subscribe your email address to the SNS topic. If you get emails, you will know when messages arrive at the topic.
  2. Is the Lambda subscribed to the topic? -- Check in the AWS console (under SNS -> Topic) whether the subscription is correct (the endpoint must exactly match the ARN of the Lambda)

Once you confirmed these basic checks and you still see no invocations, it has to be a permission error. When you open the Lambda in the AWS console, you should see SNS listed as a trigger:

enter image description here

For comparison, if the permission is missing, you will not see SNS:

enter image description here

If you are not using an automated deployment (e.g., with CloudFormation or Terraform), you can also manually add the missing permission:

  1. Choose SNS under Add triggers (you will need to scroll down in the list to see it)
  2. In Configure triggers, select the SNS topic
  3. Click Add and save the Lambda
like image 26
Philipp Claßen Avatar answered Oct 08 '22 02:10

Philipp Claßen