Allow serverless lambda to be called by cloud watch

和自甴很熟 提交于 2021-01-28 05:45:16

问题


I have one lambda function within my serverless.yml. It looks somehow like this:

functions:
  clean:
    handler: app.run
    events:
      - schedule: rate(2 hours)

It works pretty well and out of the box lambda gets called every 2 hours. When I add new rule in AWS Console and sets the newly created lambda as a target it also works. Both AWS Console and Serverless framework creates on the background policy that events.amazonaws.com service can invoke this specific function. The policy looks somehow like this:

{
         "Sid":"AWSEvents_rule_name_test",
         "Effect":"Allow",
         "Principal":{
            "Service":"events.amazonaws.com"
         },
         "Action":"lambda:InvokeFunction",
         "Resource":"arn:aws:lambda:eu-central-1:<account_id>:function:<lambda_name>",
         "Condition":{
            "ArnLike":{
               "AWS:SourceArn":"arn:aws:events:eu-central-1:<account_id>:rule/<rule_name>"
            }
         }
      }

I would like to define rules programatically and without the need to maintain those permissions. What I do is I create rule, then I create target similarly as described in docs https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html. Without the permission step it doesnt work. I would like to have generic permission on the serverless.yml level that enables the lambda to be called by any existing or not yet existing rules (so I care only about rules and targets). I mean something that would say: "Grant cloud watch permission to invoke any lambda function with any rule defined on my account". That would increase usability of my function alot more.

Is it possible to define same policy that gets usually generated by AWS Console (code above) but little more generic and within serverless.yml file?

Update: I end up trying example bellow. It was supposed to create "generic" rule:

functions:
  clean:
    handler: app.run
    events:
      - schedule: rate(2 hours)
resources:
  Resources:
    cleanLambdaPermission:
      DependsOn:
        # This is how serverless converts function name. Has to be update accordingly when lambda gets renamed.
        - cleanLambdaFunction
      Type: AWS::Lambda::Permission
      Properties:
        FunctionName:
          "Fn::GetAtt": [ cleanLambdaFunction, Arn ]
        Action: "lambda:InvokeFunction"
        Principal: "events.amazonaws.com"
        SourceArn: "arn:aws:events:eu-central-1:<account_id>:rule"    

Though it showed up it didnt work and my lambda never got called by programatically created rules until I added explicit SourceArn that maps exactly one rule to one single specific function. I am doing it also programatically in three steps: 1. Create rule. 2. Create target. 3. Create permission.

For delete I need proceed in reverse order. I didnt find if this (not allowing wildcards) is bug or intentional behaviour.


回答1:


Yes, You can use wild cards '*' to make it generic.



来源:https://stackoverflow.com/questions/55026399/allow-serverless-lambda-to-be-called-by-cloud-watch

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!