By using AWS re:Post, you agree to the Terms of Use

invoke permission error on lambda ALB target group

0

I have the following stack with a lambda, lambda permission, lambda role, and an ALB target group:

Resources:

  MyFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: CloudwatchMetricsLambda
      Runtime: python3.7
      Code:
        S3Bucket: some-bucket-with-code
        S3Key: deployment.zip
      Handler: src/index.lambda_handler
      Role: !GetAtt MyFunctionLambdaRole.Arn
      Timeout: 20

  ALBLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt MyFunction.Arn
      Principal: elasticloadbalancing.amazonaws.com
      SourceAccount: !Ref AWS::AccountId

  ALBTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    DependsOn:
      - ALBLambdaPermission
      - MyFunction
    Properties:
      Targets:
        -
          Id: !Sub ${MyFunction.Arn}
      TargetType: lambda

  MyFunctionLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRole
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaRole
      Policies:
        - PolicyName: WriteCloudWatch
          PolicyDocument:
            Statement:
              -
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: arn:aws:logs:*:*:*
              -
                Effect: Allow
                Action:
                  - cloudwatch:PutMetricData
                Resource:
                  - '*'

When I try to deploy this lambda I get the following error:

ALBTargetGroup UPDATE_FAILED API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:{region}:{account_id}:function:CloudwatchMetricsLambda from target group arn:aws:elasticloadbalancing:{region}:{account_id}:targetgroup/CloudwatchMetricsLambdaGroup/group_id

Load balancers don't have roles. And the principal "elasticloadbalancing.amazonaws.com" is given permissions to invoke the lambda. This works fine if I click in the console and make it happen. But it does not work in cloudformation.

What am I doing wrong here? I've tried this several ways and spent about half a day on this issue. I'm sure it's user error, but I just don't see where/how?

asked 3 years ago488 views
6 Answers
0

Hi,
I went down so many rabbit holes on this one :-)

To get this to work, all you need to do is remove:

SourceAccount: !Ref AWS::AccountId

So, your ALBLamdaPermission should look like the following and it will get to CREATE_COMPLETE.

  ALBLambdaPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt MyFunction.Arn
      Principal: elasticloadbalancing.amazonaws.com

-randy

answered 3 years ago
0

This is not recommended by AWS: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#prepare-lambda-function

We recommend that you include the --source-arn parameter to restrict function invocation to the specified target group.
answered 3 years ago
0

So then, what is recommended, I have an identical setup but my "SourceArn" is the target group (because that's what aws docs said to do).

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/lambda-functions.html#prepare-lambda-function

But I am receiving the same error...

Lambda perms:

AlbInvokePermission:
  DependsOn: 
    - Function
    - TargetGroup
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Sub '${Function.Arn}'
    Action: 'lambda:InvokeFunction'
    Principal: elasticloadbalancing.amazonaws.com
    SourceArn: !Ref TargetGroup

Yes, I know that removing the SourceArn will "resolve" this issue, but will allow blanket access from ANY alb, which I definitely do not want.

Error:
elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke {lambda _arn} from target group {target_group_arn}

Edited by: HarryCaveMan on Jan 8, 2020 11:51 AM

Edited by: HarryCaveMan on Jan 8, 2020 11:54 AM

Edited by: HarryCaveMan on Jan 8, 2020 11:56 AM

Edited by: HarryCaveMan on Jan 8, 2020 12:00 PM

answered 3 years ago
0

So the issue I was having assigning my target group was due to a circular dependency between the target group and the lambda permission. I was able to work around this by naming the target group then building the arn as a string in the lambda permission:

AlbInvokePermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Sub '${Function.Arn}'
    Action: 'lambda:InvokeFunction'
    Principal: elasticloadbalancing.amazonaws.com
    SourceArn: !Sub 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/TargetGroupName/*'

With this target group definition:

TargetGroup:
  DependsOn:
    - AlbInvokePermission
  Type: AWS::ElasticLoadBalancingV2::TargetGroup
  Properties:
    Name: TargetGroupName
    TargetType: lambda
    Targets:
      - Id: !Sub '${Function.Arn}'
answered 3 years ago
0

For me, named TargetGroup has some random integer after it's name in ARN (I've named TargetGroup after it was created, in subsequent CFN template updates).

edit: nevermind, I've noticed the asterisk at the end (aws forum text url-encoding "feature" does not help to see details here).

edit2: unfortunately, asterisk does not work for me. Might be, not only for me: https://stackoverflow.com/questions/56347601/aws-can-lambda-permission-policy-have-a-source-from-target-group-with-wildcards

Edited by: askarkalykov on Apr 17, 2020 1:35 AM

Edited by: askarkalykov on Apr 17, 2020 1:46 AM

answered 2 years ago
0

hey any solution for this because I don't want to add this after everything created in cloudformation and I guess it is a bad practice so eagerly waiting for a way to avoid this circular dependency problem so we can directly target the ref

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions