I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:
{
"Statement": {
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [<Arn>, ...],
"Effect": "Allow"
}
}
I've also granted sts:AssumeRole access to the Lambda role from Firehose.
This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with
{
"errorCode":"Lambda.InvokeAccessDenied",
"errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."
}
and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?
Elsewhere in the ProcessingConfiguration for my Firehose, I had supplied a role to execute the lambda which did not have adequate permissions. By removing
- ParameterName: RoleArn
ParameterValue:
Fn::GetAtt: [<Role>, Arn]
from the ProcessingConfiguration config set, the lambda was able to execute successfully using the appropriate role/policy.