- Newest
- Most votes
- Most comments
You may need to grant permission for the AWS IoT service to invoke your Lambda function. Use the add-permission command to add a permission statement to your function's resource-based policy.
Reference : https://docs.aws.amazon.com/lambda/latest/dg/services-iot.html
If you are using CDK, you can perhaps try something like this below
// Grant permission for AWS IoT to invoke the Lambda function
const iotServicePrincipal = new iam.ServicePrincipal('iot.amazonaws.com');
lambdaFunction.grantInvoke(iotServicePrincipal);
The rule action must have permission to receive the original topic and publish the new topic.
The policies that authorize the rule to receive message data and republish it are specific to the topics used. If you change the topic used to republish the message data, you must update the rule action's role to update its policy to match the current topic.
If you suspect this is the problem, edit the Republish rule action and create a new role. New roles created by the rule action receive the authorizations necessary to perform these actions
Hi Dave Meehan,
you must add the lambda:InvokeFunction
permission to the Lambda function: https://docs.aws.amazon.com/iot/latest/developerguide/iot-sql-functions.html#iot-func-aws-lambda
Cheers,
Philipp
Please see my comment above
This shows the configuration of the lambda permissions. I beleive this is consistent with the documentation.
Here is the topic rule (aws iot get-topic-rule ...
)
{
"ruleArn": "arn:aws:iot:eu-west-1:<<REDACTED>>:rule/Dev<<REDACTED>>AppLoriotIngestPayloadParserRule_81f3ecff",
"rule": {
"ruleName": "Dev<<REDACTED>>AppLoriotIngestPayloadParserRule_81f3ecff",
"sql": "SELECT aws_lamdba('arn:aws:lambda:eu-west-1:<<REDACTED>>:function:Dev<<REDACTED>>AppLoriotIngestPayloadParser_96078392', *) as event.response, topic(3) as event.eui FROM '$aws/things/+/shadow/update/accepted' ",
"createdAt": "2023-07-14T13:39:24+01:00",
"actions": [
{
"republish": {
"roleArn": "arn:aws:iam::<<REDACTED>>:role/Dev<<REDACTED>>AppLoriotIngestPayloadParserRuleRepublish_3a5eba09",
"topic": "loriot/ingest",
"qos": 0,
"headers": {}
}
}
],
"ruleDisabled": true,
"awsIotSqlVersion": "2016-03-23",
"errorAction": {
"republish": {
"roleArn": "arn:aws:iam::<<REDACTED>>:role/Dev<<REDACTED>>AppLoriotIngestPayloadParserRuleError_ff712474",
"topic": "errors",
"qos": 0,
"headers": {}
}
}
}
}
Relevant content
- asked 5 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
Agreed, that was missing and seems to have silenced the AWSIotV2 error messages, but the function still appears not to be called (the topic rule republishes but the lambda result is missing, although I can select other fields and see them republished). The function does not create a log group, log stream or log entries, but does when I 'test' it from the lambda console. This suggests that the topic rule might have a problem with the aws_lambda() call, but isn't treating it as an error (perhaps it just sees the result as null/undefined and therefore doesn't include it in the output). I'll post a screenshot of the lambda permissions, which shows that it has its own logs:* actions and a policy statement for IoT that allows lambda:InvokeFunction.