Saturday, April 2, 2016

Why is Lambda function not invoked by CloudWatch Events

AWS Lambda has proven to be an increasingly versatile tool for cloud automation. It is pretty easy to get started since there is little dependency involved, and what you can do with it is limited only by imagination. However, I went through some detours with initial troubleshooting efforts, and hope to share some learning experience here.

A common occurrence is that a Lambda function not getting invoked as expected. In this typical push model, a CloudWatch event occurs which should trigger Lambda invocation. But reviewing CloudWatch provides no indication that Lambda left any logs. At this point, the most useful clue is to look at Lambda “Monitoring” tab. Shown below are clear indication that invocation occurred but failed.

So why would a Lambda function fails to get invoked? Lambda permission model is often overlooked. Specifically, Lambda function is associated with an execution role. The execution role must grant the permissions that Lambda function needs. By keeping access and control outside the function, there is clean separation between permission and the code.

For CloudWatch Events to invoke Lambda, Lambda must have authorization. Perhaps not so intuitive, the authorization for Lambda is by ways of function-level permissions. In other words, Lambda execution role needs to have CloudWatch Events permission for it to be invoked by CloudWatch Events.

One way to fix, add “cloudwatcheventsfullaccess” to the execution role assigned to Lambda function. There are obviously other permissions needed depending on your specific Lambda function, these are useful references:

No comments:

Post a Comment