Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Lambda.InvokeAccessDenied from Kinesis Firehose

Tags:

aws-lambda

amazon-kinesis

amazon-kinesis-firehose

aws-iam

I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:

{
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:GetFunctionConfiguration"
        ],
        "Resource": [<Arn>, ...],
        "Effect": "Allow"
    }
}

I've also granted sts:AssumeRole access to the Lambda role from Firehose.

This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with

{
  "errorCode":"Lambda.InvokeAccessDenied",
  "errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."
}

and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?

like image 248
Nathan Brown Avatar asked Mar 08 '18 19:03

Nathan Brown

People also ask

Can Lambda read from firehose?

Kinesis Data Firehose can invoke your Lambda function to transform incoming source data and deliver the transformed data to destinations. You can enable Kinesis Data Firehose data transformation when you create your delivery stream.

Can Lambda read from Kinesis stream?

Lambda supports the following options for Kinesis event sources. Kinesis stream – The Kinesis stream to read records from. Consumer (optional) – Use a stream consumer to read from the stream over a dedicated connection. Batch size – The number of records to send to the function in each batch, up to 10,000.

Can Lambda write to Kinesis firehose?

Amazon Kinesis Data Firehose captures, transforms, and loads streaming data into downstream services such as Kinesis Data Analytics or Amazon S3. You can write Lambda functions to request additional, customized processing of the data before it is sent downstream.

Can Kinesis data stream write to Kinesis firehose?

You can configure Amazon Kinesis Data Streams to send information to a Kinesis Data Firehose delivery stream.

1 Answers

This statement works for me. Note the :* at the end of the resource.

{
    "Sid": "",
    "Effect": "Allow",
    "Action": [
        "lambda:InvokeFunction",
        "lambda:GetFunctionConfiguration"
    ],
    "Resource": "arn:aws:lambda:us-west-2:11111111111:function:transform-lambda:*"
}
like image 127
whileloop Avatar answered Oct 09 '22 18:10

whileloop

Sign in to Comment

Related questions

AWS SAM template/cloudformation No integration defined for method (Service: AmazonApiGateway
Is it possible to use a newer version of the aws-sdk than provided in AWS Lambda?
Does AWS charge polling time of a Lambda function triggered by SQS?
AWS CloudFront Returns Access Denied from S3 Origin with Query String
AWS SQS doesn't reliably trigger Lambda
How to trigger lambda with some delay when message published to SQS?
AWS Lambda: cannot import name '_imaging' from 'PIL'
NPM package `pem` doesn't seem to work in AWS lambda NodeJS 10.x (results in OpenSSL error)
AWS SAM local and environment parameters
Use Promise.all() in AWS lambda
Request body serialization differences when lambda function invoked via API Gateway v Lambda Console
Reduce the size of the node-modules zip sent by the serverless framework
What are some of the pros and cons for using SAM vs serverless framework? [closed]
Python3/cloud9/lambda - making imported modules available to lambda
Allow lambda to access particular s3 bucket in serverless config
Use of Security Groups vs Role
How to setup PyCharm to develop AWS Lambda function on local machine?
sql.DB on aws-lambda too many connection
Serverless Framework - What permissions do I need to use AWS SSM Parameter Store?
AWS Lambda Java, connect to MySQL RDS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!