Why didn't my EventBridge rule invoke my Lambda function?

5 minute read

The Amazon EventBridge rule that I created doesn’t invoke my AWS Lambda function.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Check the CloudWatch metrics for the EventBridge rule

To identify the cause of the issue, check the Amazon CloudWatch console in the AWS/Events namespace for the following EventBridge metrics:

Check TriggeredRules to identify whether a scheduled rule ran or matched a specific event. After the rule successfully ran, EventBridge forwards the event to the target.
Check Invocations to identify whether the rule invoked a target. EventBridge makes multiple attempts if it can't deliver the event to the target.
Check FailedInvocations to identify whether EventBridge permanently failed to invoke the target. This metric indicates issues in the target configuration.

Confirm that the Lambda function's resource policy has the required permissions

EventBridge must have permission to invoke the Lambda function. If you use the EventBridge console to create the rule, then the console automatically adds the required permissions to the function's resource-based policy. If you used the AWS CLI, AWS SDK, or AWS CloudFormation to create a rule, then you must manually add permissions to the resource-based policy.

To use the Lambda console to update the target function's permissions, complete the following steps:

Open the Lambda console.
Select your Lambda function.
Choose the Configuration tab, and then choose Permissions.
Under Resource-based policy, make sure that the policy allows EventBridge to invoke the Lambda function.
If the policy doesn't have the required permissions, then choose Add permissions.
Choose AWS Service - EventBridge.
(Optional) Enter a Statement ID as an identifier for your policy statement.
For Principal, enter events.amazonaws.com.
For Source ARN, enter the EventBridge rule's Amazon Resource Name (ARN).
For Action, select lambda:InvokeFunction.
Choose Save.

You can also use the GetPolicy API to view the function's resource-based policy. Or, run the following get-policy AWS CLI command:

aws lambda get-policy \
    --function-name my-function

Note: Replace my-function with your function name.

To update the policy, use the AddPermission API. Or, run the following add-permission command:

aws lambda add-permission \
--function-name MyFunction \
--statement-id MyId \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/MyRule

Note: Replace MyFunction with your function name, myID with your statement ID, and arn:aws:events:us-east-1:123456789012:rule/MyRule with the rule ARN.

Make sure that your execution role has the required permissions

If you use an execution role, then make sure that the role has permission to invoke the Lambda function.

If you use the EventBridge console to create the role, then the console automatically adds the required permissions to the IAM role that's attached to the rule. If you used the AWS CLI, AWS SDK, or CloudFormation to create a rule, then you must manually add permissions to the IAM role.

To check the IAM role's permissions, complete the following steps:

Open the EventBridge console.
Choose Rules.
Select the EventBridge rule.
Choose the Target tab, and then choose the IAM role for the rule.

Under Permission, make sure that the policy allows EventBridge to invoke Lambda functions and the trust policy allows the role to access Lambda.
Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:account-id:function:function-name"
            ]
        }
    ]
}

Example trust relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TrustEventBridgeService",
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-id",
                    "aws:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"
                }
            }
        }
    ]
}

Note: Replace arn:aws:lambda:region:account-id:function:function-name with the function ARN, account-ID with your AWS account ID, and arn:aws:events:region:account-id:rule/rule-name with the rule ARN.

You can also use the GetRole API to retrieve the IAM policy. Or, run the following get-role command:

aws iam get-role \
    --role-name Test-Role

Note: Replace Test-Role with your role name.

If the policy or trust relationship are missing required permissions, then use the IAM console to update the policy and trust relationship.

Add a dead-letter queue to the target in Amazon SQS

EventBridge uses dead-letter queues in Amazon Simple Queue Service (Amazon SQS) to store events that EventBridge couldn't deliver to a target.

To get more information about why an invocation failed, complete the following steps to attach a dead-letter queue to the target:

Create an Amazon SQS queue to use as the dead-letter queue.
Open the EventBridge console.
Choose Rules.
Select the EventBridge rule.
Under Targets, select Edit, and then expand the Additional settings section.
Under Dead-letter queue, choose Select an Amazon SQS queue in the current AWS account to use as the dead-letter queue.
Choose your SQS queue.
Review your changes, and then choose Save.