Allow all cloudwatch event rules to have access to lambda function

4
votes

I have been encountering a hard limit on lambda function policy when trying to provision access for a cloudwatch event rule to trigger the lambda function on a scheduled basis. 

An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20670) is bigger than the limit (20480).

It works for a new lambda function, but eventually its policy will bloat and will hit a hard limit on the number on cloudwatch event rule that can access it.

Some said to re-create the function (delete/create), but this won't be an option in a production environment where cloudwatch events are already configured in it, resulting to the existing ones to lose access to the lambda function.

Using the aws cli, i was able to extract the policy of my lambda function, it loooks like this:

"Statement": [{
    "Sid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Effect": "Allow",
        "Principal": {
            "Service": "events.amazonaws.com"
        },
        "Action": "lambda:*",
        "Resource": "arn:aws:lambda:xxxxx:xxxxxxxxxxx:function:xxxxxxxxxxxxx",
        "Condition": {
            "ArnLike": {
                "AWS:SourceArn": "arn:aws:events:xxxxxxx:xxxxxx:rule/xxxxxxxxx"
            }
        }
}]

So i was looking onto something like for the AWS:SourceArn

arn:aws:events:xxxxxxx:xxxxxx:rule/*

To avoid hitting a hard limit, but i cannot seem to do it. Even in the lambda function itself on the console, you won't be able to create such a rule that will allow all cloudwatch event of a specified account to have access to the lambda function using a wildcard '*'.

Suggestions are much welcome. Thank you guys

2
amazon-web-servicesaws-lambdaboto3amazon-cloudwatch
Just to clarify... Is this a rule where you allow CloudWatch Events to trigger a Lambda function? Where are you putting/getting this policy? Is it related to Using AWS Lambda with Amazon CloudWatch Events - AWS Lambda? What happens if you try using the wildcard? I'd like to try and reproduce your situation, but don't have enough information of how to try it.John Rotenstein
@JohnRotenstein: yes, it is. eventually when too many cloudwatch events target the same lambda function, it hits the hard limit, and aws cannot do something about it (it cannot be increased). i haven't been able to create one, i am still finding a way at the moment how to achieve putting a wildcard on the lambda policyJeff

2 Answers

6
votes

This was accepted without an error:

$ aws lambda add-permission --function-name function_name\
    --action 'lambda:InvokeFunction' --principal events.amazonaws.com \
    --statement-id '1' \
    --source-arn arn:aws:events:ap-southeast-2:123456789012:rule/*

This will accept all CloudWatch Events rules.

You could instead name your rules such that the ones you want to allow can all have the same prefix in their name, eg:

--source-arn arn:aws:events:ap-southeast-2:123456789012:rule/Event-*
1
votes

I used the above CLI command but got an error in the console, please find the attached screenshot of the errorenter image description here. Please find below function policy of lambda:

{   "Version": "2012-10-17",   "Id": "default",   "Statement": [
    {
      "Sid": "events-access",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:096280016729:function:leto_debug_log",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:events:us-east-1:096280016729:rule/*"
        }
      }   
    }   
  ] }