AWS SNS ought to trigger my lambda, but does not

Question

I have an AWS lambda function that I created via apex. I've also created a SNS topic and a subscription through terraform.

My topic is: arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions

I have a subscription: arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions:2da1d182-946d-4afd-91cb-1ed3453c5d86 with a lambda type and the endpoint is: arn:aws:lambda:ap-southeast-1:178284945954:function:wowauctions_get_auction_data

I've confirmed this is the correct function ARN. Everything seems wired up correctly:

I trigger SNS manually:

aws sns publish    --topic-arn arn:aws:sns:ap-southeast-1:178284945954:fetch_realm_auctions    --message '{"endpoint": "https://us.api.battle.net", "realm": "spinebreaker"}' 

It returns the message ID but no invocation happens. Why?

Answer 1

I added an inline policy to allow the lambda to be invoked:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "Stmt1474873816000",             "Effect": "Allow",             "Action": [                 "lambda:InvokeFunction"             ],             "Resource": [                 "arn:aws:lambda:ap-southeast-1:178284945954:function:wowauctions_get_auction_data"             ]         }     ] } 

And it's now working.

Answer 2

The SNS topic needs to have the permission to invoke the Lambda.

Here is an example how you can express that in Terraform:

# Assumption: both SNS topic and Lambda are deployed in the same region # resource "aws_sns_topic" "instance" { ... } # resource "aws_lambda_function" "instance" {... }  # Step 1: Allow the SNS topic to invoke the Lambda resource "aws_lambda_permission" "allow_invocation_from_sns" {   statement_id  = "AllowExecutionFromSNS"   action        = "lambda:InvokeFunction"   function_name = "${aws_lambda_function.instance.function_name}"   principal     = "sns.amazonaws.com"   source_arn    = "${aws_sns_topic.instance.arn}" }  # Step 2: Subscribe the Lambda to the SNS topic resource "aws_sns_topic_subscription" "instance" {   topic_arn = "${aws_sns_topic.instance.arn}"   protocol  = "lambda"   endpoint  = "${aws_lambda_function.instance.arn}" } 

---

Some general tips for troubleshooting this problem (a Lambda not being fired):

1. Does my message arrive at the Lambda? -- Subscribe your email address to the SNS topic. If you get emails, you will know when messages arrive at the topic.
2. Is the Lambda subscribed to the topic? -- Check in the AWS console (under SNS -> Topic) whether the subscription is correct (the endpoint must exactly match the ARN of the Lambda)

Once you confirmed these basic checks and you still see no invocations, it has to be a permission error. When you open the Lambda in the AWS console, you should see SNS listed as a trigger:

For comparison, if the permission is missing, you will not see SNS:

If you are not using an automated deployment (e.g., with CloudFormation or Terraform), you can also manually add the missing permission:

1. Choose SNS under Add triggers (you will need to scroll down in the list to see it)
2. In Configure triggers, select the SNS topic
3. Click Add and save the Lambda