Search code examples
amazon-web-servicesgoaws-lambdaamazon-cloudfrontaws-lambda-edge

Lambda@Edge through Go SDK

I am trying to associate a Lambda@Edge Function using the AWS Go SDK.

  1. Creating the Function by hand in the console and assigning it to the Cloudfront distro using the SDK => works.

  2. Creating the Function (using the same IAM role from 1.) in the code w/o assigning to cloudfront => works.

  3. Assigning the created function from 2. by hand in the console => fails.

  4. Assigning the created function from 2. via the SDK => fails.

  5. Deploying the created function from 2. by hand in the lambda console (Actions => deploy to lambda@edge) => works. => after this the function can be assigned by hand and by code w/o problems...

The error in 3. and 4. is the same:

InvalidLambdaFunctionAssociation: Lambda@Edge cannot retrieve the specified Lambda function. Update the IAM policy to add permission: lambda:GetFunction for resource: arn:aws:lambda:us-east-1:123456789:function:example:1 and try again.

What confuses me is that I am reusing the same role that was created during 1.

This is how I create the function by code:

lam := lambda.New(session)
lam.CreateFunction(&lambda.CreateFunctionInput{
    FunctionName: aws.String("example"),
    Handler:      aws.String("index.handler"),
    Runtime:      aws.String("nodejs12.x"),
    Role:         aws.String("arn:aws:iam::123456:role/service-role/existing-role"),
    Code: &lambda.FunctionCode{
        S3Bucket: aws.String("bucket-xyz"),
        S3Key:    aws.String("source.zip"),
    },
}) // works w/o issues

lam.AddPermission(&lambda.AddPermissionInput{
    FunctionName: aws.String("example"),
    StatementId:  aws.String("AllowExecutionFromCloudFront"),
    SourceArn:    aws.String("arn:aws:cloudfront::12333456:distribution/CDNID1234"),
    Principal:    aws.String("edgelambda.amazonaws.com"),
    Action:       aws.String("lambda:GetFunction"),
}) // also works w/o error

// assigning the created lambda function would now fail

using

go 1.13

github.com/aws/aws-sdk-go v1.31.8

Solution

  • I found the issue.

    The error has absolutely nothing to do with the actual problem. Very misleading error if you ask me.

    All that's been missing is a published version of the lambda function at hand.

    To achieve that using the Go SDK you have to do:

    lam := lambda.New(session)
lam.PublishVersion(&lambda.PublishVersionInput{
        FunctionName: aws.String("example"),
        Description:  aws.String("Dont forget to publish ;)"),
    })

    using the CLI you would want to do the following:

    aws lambda publish-version --function-name example --description "Dont forget to publish"

    It actually makes sense that you cannot use a function that hasn't been published. However the error from AWS didn't really help there.

    Hopefully this can help anybody!