I am utilizing Eventbridge API Destination to call my lambda function's url and throttle it to my desired rate. This works when the lambda function's invoke-url auth type is set to None. When I set the function Url auth type to AWS_IAM and create a resource-based invoke function url policy, it doesn't work.
I've tried setting the policy's principal to
- the account root
- the eventbridge role arn
- the eventBridgeApiDestinations service role arn (arn:aws:iam::xxxxxxxxx:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations)
None of the above work. Not sure what I'm doing wrong here or if it's even possible to do this.
Policy statement details
Statement ID
invoke-from-event-bridge-rule
Principal
arn:aws:iam::xxxxxxx:role/< my eventBridge role >
Effect
Allow
Action
lambda:InvokeFunctionUrl
Conditions
{
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
CodePudding user response:
From the documentation:
Amazon EventBridge API destinations are HTTP endpoints that you can invoke as the target of a rule, similar to how you invoke an AWS service or resource as a target.
When you have EventBridge invoke your Lambda in this way, EventBridge doesn't know it is invoking a Lambda function. It doesn't even know it is invoking an AWS service. It is treating it the same as it would a third-party "webhook" external to AWS. It is not going to sign the HTTP request with AWS IAM credentials.
I suggest using a standard AWS Lambda invocation from EventBridge, instead of an HTTP endpoint invocation.