Why wasn't my Lambda function triggered by my EventBridge rule?

4 minute read
0

I want to troubleshoot why the Amazon EventBridge rule that I created using the AWS Command Line (AWS CLI) doesn’t invoke my AWS Lambda function.

Short description

Use the following steps to identify the issue:

  1. Confirm that the event source published an event and triggered the associated Amazon EventBridge rule.
  2. Confirm that EventBridge rule invoked the configured target.
  3. If there is a target invocation failure, confirm that the AWS Lambda function has the appropriate permissions in its resource policy.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Review CloudWatch metrics for the EventBridge rule

  1. Open the Amazon CloudWatch console.
  2. From the navigation pane on the left, under Metrics, choose All Metrics.
  3. Select the AWS/Events namespace.
  4. Select the TriggerRules, Invocations, and the FailedInvocations (if available) metrics for the rule in question. If necessary, view these metrics with the SUM statistic.
    Note: The TriggerRules datapoints indicate that an event triggered the EventBridge rule. The Invocation datapoints indicate that the EventBridge rule invoked the corresponding target. If the metrics include FailedInvocations data points, these indicate that the rule might have failed to invoke the target. FailedInvocations represent a permanent failure and might be caused by incorrect permissions or a misconfigured target.

Confirm that the Lambda function's resource policy has the appropriate permissions

Keep the following in mind when you create an EventBridge rule with a Lambda function as the target:

  • When you use the Amazon EventBridge console to create the rule, the console automatically adds the appropriate permissions to the function's resource policy.
  • When you use AWS CLI, SDK, or AWS CloudFormation to create a rule, you must manually apply the permissions in the resource policy.

The permissions grant the Amazon EventBridge service access to invoke the Lambda function.

Review the permissions associated with the target Lambda function

Follow these steps:

  1. Open the AWS Lambda console.
  2. Choose the target Lambda function.
  3. Choose the Configuration tab, and then choose Permissions.
  4. Under the Resource-based policy section, review the policy document.

Or, use the GetPolicy API or the get-policy AWS CLI command with the appropriate inputs to retrieve the Lambda function's resource policy.

The following example shows a resource policy that allows EventBridge to invoke the Lambda function:

{
  "Effect": "Allow",
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:region:account-id:function:function-name",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Condition": {
    "ArnLike": {
      "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"
    }
  },
  "Sid": "InvokeLambdaFunction"
}

Note: Replace the ARN with the appropriate Region, account ID, and resource name.

Update the resource policy

Follow these steps if you need to update the resource policy:

  1. Open the AWS Lambda console.
  2. Choose the target Lambda function.
  3. Choose the Configuration tab, and then select Permissions.
  4. In the Resource-based policy section, choose Add permissions.
  5. Select AWS Service - EventBridge (CloudWatch Events).
  6. Provide the Statement ID (Sid) as an optional identifier for your policy statement.
  7. Provide Principal as events.amazonaws.com.
    Note: Usually this is auto-filled.
  8. Provide Source ARN as an ARN of the EventBridge rule.
  9. For Action, select lambda:InvokeFunction from the dropdown list.
  10. Choose Save.

You can also update the policy using AddPermission API or the AWS Lambda add-permission AWS CLI command.

For example:

aws lambda add-permission \--function-name MyFunction \
--statement-id MyId \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/MyRule

Add an Amazon SQS dead-letter queue to the target

EventBridge uses Amazon Simple Queue Service (Amazon SQS) DLQs to store events that couldn't be delivered to a target. Attach an Amazon SQS DLQ to the target reporting FailedInvocations. Retrieve the events from the DLQ for analysis and to obtain more context on the issue. Following remediation, the failed events can be resent to the target for processing.

  1. Open the relevant rule in the EventBridge console.
  2. Under Targets, select Edit, and then expand the Additional settings section.
  3. Under Dead-letter queue, choose Select an Amazon SQS queue in the current AWS account to use as the dead-letter queue.
  4. Select an SQS queue to use as the DLQ.
  5. After you've assigned the DLQ, complete the remaining steps in the Edit Rule section to save the changes.

Related information

My rule ran but my Lambda function wasn't invoked

Using resource-based policies for Amazon EventBridge: AWS Lambda permissions

Event retry policy and using dead-letter queues

Improved failure recovery for Amazon EventBridge

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago