invoke permission error on lambda ALB target group

Question

I have the following stack with a lambda, lambda permission, lambda role, and an ALB target group:

```
Resources:

  MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: CloudwatchMetricsLambda
      Runtime: python3.7
      Code:
        S3Bucket: some-bucket-with-code
        S3Key: deployment.zip
      Handler: src/index.lambda_handler
      Role: !GetAtt MyFunctionLambdaRole.Arn
      Timeout: 20

  ALBLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt MyFunction.Arn
      Principal: elasticloadbalancing.amazonaws.com
      SourceAccount: !Ref AWS::AccountId

  ALBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    DependsOn:
      - ALBLambdaPermission
      - MyFunction
    Properties:
      Targets:
        -
          Id: !Sub ${MyFunction.Arn}
      TargetType: lambda

  MyFunctionLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
      Policies:
        - PolicyName: WriteCloudWatch
          PolicyDocument:
            Statement:
              -
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: arn:aws:logs:*:*:*
              -
                Effect: Allow
                Action:
                  - cloudwatch:PutMetricData
                Resource:
                  - '*'
```

When I try to deploy this lambda I get the following error:  
  
ALBTargetGroup UPDATE_FAILED API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:{region}:{account_id}:function:CloudwatchMetricsLambda from target group arn:aws:elasticloadbalancing:{region}:{account_id}:targetgroup/CloudwatchMetricsLambdaGroup/group_id  
  
Load balancers don't have roles. And the principal "elasticloadbalancing.amazonaws.com" is given permissions to invoke the lambda. This works fine if I click in the console and make it happen. But it does not work in cloudformation.  
  
What am I doing wrong here? I've tried this several ways and spent about half a day on this issue. I'm sure it's user error, but I just don't see where/how?

Answer

Hi,  
I went down so many rabbit holes on this one :-)  
  
To get this to work, all you need to do is remove:

```
SourceAccount: !Ref AWS::AccountId
```

So, your ALBLamdaPermission should look like the following and it will get to CREATE_COMPLETE.

```
  ALBLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt MyFunction.Arn
      Principal: elasticloadbalancing.amazonaws.com
```

-randy

Answer

hey any solution for this because I don't want to add this after everything created in cloudformation and I guess it is a bad practice so eagerly waiting for a way to avoid this circular dependency problem so we can directly target the ref

Answer

So the issue I was having assigning my target group was due to a circular dependency between the target group and the lambda permission. I was able to work around this by naming the target group then building the arn as a string in the lambda permission:

```
AlbInvokePermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Sub '${Function.Arn}'
    Action: 'lambda:InvokeFunction'
    Principal: elasticloadbalancing.amazonaws.com
    SourceArn: !Sub 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/TargetGroupName/*'
```

With this target group definition:

```
TargetGroup:
  DependsOn:
    - AlbInvokePermission
  Type: AWS::ElasticLoadBalancingV2::TargetGroup
  Properties:
    Name: TargetGroupName
    TargetType: lambda
    Targets:
      - Id: !Sub '${Function.Arn}'
```

Answer

For me, named TargetGroup has some random integer after it's name in ARN (I've named TargetGroup after it was created, in subsequent CFN template updates).  
  
edit: nevermind, I've noticed the asterisk at the end (aws forum text url-encoding "feature" does not help to see details here).  
  
edit2: unfortunately, asterisk does not work for me. Might be, not only for me: https://stackoverflow.com/questions/56347601/aws-can-lambda-permission-policy-have-a-source-from-target-group-with-wildcards  
  
Edited by: askarkalykov on Apr 17, 2020 1:35 AM  
  
Edited by: askarkalykov on Apr 17, 2020 1:46 AM

Answer

This is not recommended by AWS:

```
We recommend that you include the --source-arn parameter to restrict function invocation to the specified target group.
```

Answer

So then, what is recommended, I have an identical setup but my "SourceArn" is the target group (because that's what aws docs said to do).

But I am receiving the same error...  
  
Lambda perms:

```
AlbInvokePermission:
  DependsOn: 
    - Function
    - TargetGroup
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Sub '${Function.Arn}'
    Action: 'lambda:InvokeFunction'
    Principal: elasticloadbalancing.amazonaws.com
    SourceArn: !Ref TargetGroup
```

Yes, I know that removing the SourceArn will "resolve" this issue, but will allow blanket access from ANY alb, which I definitely do not want.

Error:  
elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke {lambda _arn} from target group {target_group_arn}  
  
Edited by: HarryCaveMan on Jan 8, 2020 11:51 AM  
  
Edited by: HarryCaveMan on Jan 8, 2020 11:54 AM  
  
Edited by: HarryCaveMan on Jan 8, 2020 11:56 AM  
  
Edited by: HarryCaveMan on Jan 8, 2020 12:00 PM

invoke permission error on lambda ALB target group

Relevanter Inhalt