By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

The execution role you provide must allow AWS EventBridge Scheduler to assume the role

0

When trying to set up a Event Bridge scheduler to run a simple lambda function , I get the following error: "The execution role you provide must allow AWS EventBridge Scheduler to assume the role"

I have tried creating the scheduler using "custom execution" role as well as allowing "AWS to create a new one" . Both execution roles have the assumeRole in the Trust-Relationship as shown below:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "scheduler.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "XXXXXXXXXXX" } } } ] } Please note, I am able to successfully setup a scheduler event on another AWS account following the same steps in the same region. Could there any be anything fundamentally missing in the AWS account??

There is another thread in rePost with the same error, but none of the solutions there seems to work. Please help!

Topics
ServerlessApplication IntegrationSecurity, Identity, & Compliance
Tags
Amazon EventBridgeIAM Policies
Language
English
Neel
asked 20 days ago127 views
1 Answer
2
Accepted Answer

Well it could be multiple things, like if both (eventbridge and lambda) are on the same account, or probably a simpler explanation how did you create the lambda function. Lambda functions have a resource policy control, which you need to configure to allow it to be invoked from the eventbridge service, so you need to add something like this:

aws lambda add-permission \
--function-name LogScheduledEvent \
--statement-id my-scheduled-event \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/my-scheduled-rule

To make sure that EventBrige can invoke the lambda function, you have a good example documented here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-run-lambda-schedule.html

Hope this helps. Anyway for the next time if you can include your cloudtrail Deny event would help a lot to diagnose. Thanks!

Best,

profile pictureAWS
JuanEn_G
answered 20 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 19 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 19 days ago
  • Osvaldo Marte EXPERT
    19 days ago

    @Neel, the issue you're encountering is likely due to an incorrect Principal in your role trust policy. You should be using events.amazonaws.com instead.

    Key Source:

  • Neel
    19 days ago

    Thanks for link to the documentation. I was able to setup a Rule instead of a Schedule to run the lambda using the CLI. The Principal role Trust Policy is now set to events.amazonaws.com instead of scheduler.amazonaws.com

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content