2

I am trying to build a Kibana dashboard fed with twitter data collected via AWS Kinesis firehose where data passes into an S3 bucket which triggers a Lambda function which passes the data to AWS Elastic Search and then to Kibana. I am following this blog https://aws.amazon.com/blogs/big-data/building-a-near-real-time-discovery-platform-with-aws/

The data is loading into the S3 bucket correctly but it never arrives in Kibana, I believe this is because the Lambda function is not being triggered by events in S3 as I would have hoped (there are no invocations or logs). I think this is because I have not set permissions properly. The Lambda function can be invoked manually by the test event.

On the Lambda function page I chose an existing role which I called lambda_s3_exec_role which has the AWSLambdaExecute policy attached to it but I feel I'm missing something else more specific to S3. I have been unable to follow this line in the blog in the create lambda function section because I do not recognise those options:

"10. Choose lambda_s3_exec_role (if this value does not exist, choose Create new role S3 execution role)."

Can anyone help me create the appropriate role/policy for the Lambda function, or spot what the problem may be?

From view permissions on the Lambda function I currently have:

FUNCTION POLICY

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "****",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "****",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::****"
        }
      }
    }
  ]
}

EXECUTION ROLE

{
  "roleName": "lambda_s3_exec_role",
  "policies": [
    {
      "document": {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "logs:*"
            ],
            "Resource": "arn:aws:logs:*:*:*"
          },
          {
            "Effect": "Allow",
            "Action": [
              "s3:GetObject",
              "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::*"
          }
        ]
      },
      "name": "AWSLambdaExecute",
      "id": "****",
      "type": "managed",
      "arn": "arn:aws:iam::aws:policy/AWSLambdaExecute"
    }
  ]
}
Improve this question
6
  • 1
    Can you provide permissions (View permissions - key icon) -> Function Policy / Execution role from Lambda UI (AWS Console)? Commented Apr 6, 2018 at 13:48
  • 1
    The problem does point to permissions. Either something goes wrong in the lambda and you do not have permissions to send logs to Cloudwatch, or the S3 permissions are, like you said, lacking. Hard to tell without seeing the role. Can you post it here, or check whether it has S3 and CW permissions? Commented Apr 6, 2018 at 13:59
  • 1
    For me permissions looks good, the last thing to check is S3 Bucket: Properties -> (Advanced settings ->) Events. You can check there if proper Lambda is attached and for what kind of Events (screenshot will be useful;)) Commented Apr 6, 2018 at 14:38
  • When i navigate to the AWSLambdaExecute policy it says "This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. " And on show more it says for CloudWatch logs "One or more actions do not have an applicable resource." There is no warning on the S3 part. Commented Apr 6, 2018 at 14:47
  • 1
    Hmm... Maybe try upload something at UI to that bucket and check for Lambda log if it's triggered. If not - defninitly something wrong with configuration. Basically, S3 Bucket Event should point to that Lambda and if Lambda have permission to CloudWatch - logs should appear. You can 100% confirm that Lambda have access to write to CloudWatch Logs by manually invoke from UI (event might be empty - only check if some log stream will appear) Commented Apr 6, 2018 at 14:58

2 Answers 2

Reset to default
4
+25

The permissions you have listed look OK so I am going to try provide some steps that might help find the issue as it is difficult to understand specifically where your issue might be.

  1. Does the execution role have the trust relationship with a trusted entity of lambda.amazonaws.com
  2. Does your event prefix match the prefix in firehose. In the tutorial they are both twitter/raw-data/. If firehose is writing to a path that isn't the event prefix then the event won't be invoked.
  3. Does the lambda trigger any errors when you manually invoke it
  4. Does the lambda write to the logs when you manually invoke it
  5. Test the lambda using dummy data (example data below)

CLI

aws lambda invoke \
--invocation-type RequestResponse \
--function-name helloworld \
--region region \
--log-type Tail \
--payload file://dummy_event.json \
--profile adminuser \
outputfile.txt

Example data

source

dummy_event.json

{
   "Records":[  
      {  
         "eventVersion":"2.0",
         "eventSource":"aws:s3",
         "awsRegion":"us-west-2",
         "eventTime":"1970-01-01T00:00:00.000Z",
         "eventName":"ObjectCreated:Put",
         "userIdentity":{  
            "principalId":"AIDAJDPLRKLG7UEXAMPLE"
         },
         "requestParameters":{  
            "sourceIPAddress":"127.0.0.1"
         },
         "responseElements":{  
            "x-amz-request-id":"C3D13FE58DE4C810",
            "x-amz-id-2":"FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD"
         },
         "s3":{  
            "s3SchemaVersion":"1.0",
            "configurationId":"testConfigRule",
            "bucket":{  
               "name":"sourcebucket",
               "ownerIdentity":{  
                  "principalId":"A3NL1KOZZKExample"
               },
               "arn":"arn:aws:s3:::sourcebucket"
            },
            "object":{  
               "key":"HappyFace.jpg",
               "size":1024,
               "eTag":"d41d8cd98f00b204e9800998ecf8427e",
               "versionId":"096fKKXTRTtl3on89fVO.nfljtsv6qko"
            }
         }
      }
   ]
}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for this (+1), I have added the test event I was using to the question. It was a template for s3:Put that I modified slightly but it gives access denied. I see error logs and invocations when running the test. Not sure about trust relationship I will try to figure out how to check that. Firehose writes to twitter/raw-data/ I see data there.
Because you have used * to remove your names it's hard to determine some things. Maybe replace it with my_bucket or something. I think the problem is the resource for the execution role, you probably need both arn:aws:s3:::my_bucket & arn:aws:s3:::my_bucket/*
When I go to the execution policy in the console it says "This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition."
Have a look through this guide shows you a way to get further information on those warnings aws.amazon.com/blogs/security/…
0

Struggled with this for a long time and eventually realized that your rule that triggers the lambda cannot have exactly the same name as the lambda itself or it won't work.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.