I'm trying to create an S3 bucket and immediately assign a lambda notification event to it.
Here's the node test script I wrote:
const aws = require('aws-sdk'); const uuidv4 = require('uuid/v4'); aws.config.update({ accessKeyId: 'key', secretAccessKey:'secret', region: 'us-west-1' }); const s3 = new aws.S3(); const params = { Bucket: `bucket-${uuidv4()}`, ACL: "private", CreateBucketConfiguration: { LocationConstraint: 'us-west-1' } }; s3.createBucket(params, function (err, data) { if (err) { throw err; } else { const bucketUrl = data.Location; const bucketNameRegex = /bucket-[a-z0-9\-]+/; const bucketName = bucketNameRegex.exec(bucketUrl)[0]; const params = { Bucket: bucketName, NotificationConfiguration: { LambdaFunctionConfigurations: [ { Id: `lambda-upload-notification-${bucketName}`, LambdaFunctionArn: 'arn:aws:lambda:us-west-1:xxxxxxxxxx:function:respondS3Upload', Events: ['s3:ObjectCreated:CompleteMultipartUpload'] }, ] } }; // Throws "Unable to validate the following destination configurations" until an event is manually added and deleted from the bucket in the AWS UI Console s3.putBucketNotificationConfiguration(params, function(err, data) { if (err) { console.error(err); console.error(this.httpResponse.body.toString()); } else { console.log(data); } }); } });
The creation works fine but calling s3.putBucketNotificationConfiguration
from the aws-sdk
throws:
{ InvalidArgument: Unable to validate the following destination configurations at Request.extractError ([...]/node_modules/aws-sdk/lib/services/s3.js:577:35) at Request.callListeners ([...]/node_modules/aws-sdk/lib/sequential_executor.js:105:20) at Request.emit ([...]/node_modules/aws-sdk/lib/sequential_executor.js:77:10) at Request.emit ([...]/node_modules/aws-sdk/lib/request.js:683:14) at Request.transition ([...]/node_modules/aws-sdk/lib/request.js:22:10) at AcceptorStateMachine.runTo ([...]/node_modules/aws-sdk/lib/state_machine.js:14:12) at [...]/node_modules/aws-sdk/lib/state_machine.js:26:10 at Request.<anonymous> ([...]/node_modules/aws-sdk/lib/request.js:38:9) at Request.<anonymous> ([...]/node_modules/aws-sdk/lib/request.js:685:12) at Request.callListeners ([...]/node_modules/aws-sdk/lib/sequential_executor.js:115:18) message: 'Unable to validate the following destination configurations', code: 'InvalidArgument', region: null, time: 2017-11-10T02:55:43.004Z, requestId: '9E1CB35811ED5828', extendedRequestId: 'tWcmPfrAu3As74M/0sJL5uv+pLmaD4oBJXwjzlcoOBsTBh99iRAtzAloSY/LzinSQYmj46cwyfQ=', cfId: undefined, statusCode: 400, retryable: false, retryDelay: 4.3270874729153475 } <?xml version="1.0" encoding="UTF-8"?> <Error> <Code>InvalidArgument</Code> <Message>Unable to validate the following destination configurations</Message> <ArgumentName1>arn:aws:lambda:us-west-1:xxxxxxxxxx:function:respondS3Upload, null</ArgumentName1> <ArgumentValue1>Not authorized to invoke function [arn:aws:lambda:us-west-1:xxxxxxxxxx:function:respondS3Upload]</ArgumentValue1> <RequestId>9E1CB35811ED5828</RequestId> <HostId>tWcmPfrAu3As74M/0sJL5uv+pLmaD4oBJXwjzlcoOBsTBh99iRAtzAloSY/LzinSQYmj46cwyfQ=</HostId> </Error>
I've run it with a role assigned to lambda with what I think are all the policies it needs. I could be missing something. I'm using my root access keys to run this script.
I've thought it might be a timing error where S3 needs time to create the bucket before adding the event, but I've waited a while, hardcoded the bucket name, and run my script again which throws the same error.
The weird thing is that if I create the event hook in the S3 UI and immediately delete it, my script works if I hardcode that bucket name into it. It seems like creating the event in the UI adds some needed permissions but I'm not sure what that would be in the SDK or in the console UI.
Any thoughts or things to try? Thanks for your help
Try one of the following strategies to avoid the "Unable to validate the following destination configurations" error: Specify a value for BucketName in your AWS CloudFormation template. Create a stack, and then perform a stack update.
Amazon SNS topic Currently, Standard SNS is only allowed as an S3 event notification destination, whereas SNS FIFO is not allowed.
The function CustomDashresourceDashexistingDashs3LambdaFunction is the one that is executed in this case and it has been created as is seen in the log. That function does two things in succession. add a permission to the function S3uploadedLambdaFunction. then update the configuration of the S3 existing bucket.
You are getting this message because your s3 bucket is missing permissions for invoking your lambda function.
According to AWS documentation! there are two types of permissions required:
You should create an object of type 'AWS::Lambda::Permission' and it should look similar to this:
{ "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "<optional>", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "<ArnToYourFunction>", "Condition": { "StringEquals": { "AWS:SourceAccount": "<YourAccountId>" }, "ArnLike": { "AWS:SourceArn": "arn:aws:s3:::<YourBucketName>" } } } ] }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With