Programmatically adding (and enabling) SNS Trigger to Lambda Function in AWS

1
votes

Has anyone ever programmatically added an SNS Topic as a trigger to a Lambda function in AWS and also programmatically enabled it? I am trying the following with the Powershell AWS SDK and can do everything, but enable it.

First, I locate one of my topics (myTopic):

$snsTopicArn = (Get-SNSTopic | {$_.TopicArn -match "myTopic"}).TopicArn

Prepare to subscribe to the lambda endpoint ($lambdaARN)

Connect-SNSNotification -TopicArn $snsTopicArn -Protocol lambda -Endpoint $lambdaArn `
                        -Confirm:$FALSE | Out-Null

Since this function returns a subscription arn and not a token, the documentation has told me to assume that the subscription has been autoconfirmed and does not need a "ConfirmSubscription" (Confirm-SNSSubscription) call.

Next, I add permission to the Lambda's resource policy for this topic to run the Lambda.

Add-LMPermission -FunctionName $lambdaName -Action "lambda:Invoke" `
                 -Principal sns.amazonaws.com -SourceArn $snsTopicArn `
                 -StatementId (Get-Random) | Out-Null

At this point the topic appears in the list of triggers for the topic, but is not enabled.

Any ideas?

1
aws-lambda

1 Answers

1
votes

For anyone interested, I found the answer. Turns out typing a valid lambda action is important. :)

After about an hour of chat with AWS support I discovered that I didn't have a valid lambda action specified in the "add permission" call:

lambda:Invoke

It actually should be this:

lambda:InvokeFunction

or this wildcard expression:

lambda:Invoke*

"Invoke" is the function name, not the action (permissions) name. Their relationship is mentioned here: http://docs.aws.amazon.com/lambda/latest/dg/API_Invoke.html

When in doubt, AWS has a policy simulator listing all of the AWS actions for their services: https://policysim.aws.amazon.com/