I'm new to cloudformation and want to trigger a lambda function with the new event scheduler (AWS::Scheduler::Schedule).
But although I added the permissions (lambda:InvokeFunction with eventbridge principle) to the scheduler, I still need to specify a RoleArn otherwise it throws an error.
That means I have to define a new role for the scheduler target? Which role should I use and how is it done with cloudformation?
Thanks a lot, any help is highly appreciated! BR Simon
#...
TriggerStop20dailyCET:
Type: AWS::Scheduler::Schedule
Properties:
Description: Stop RDS and EC2 with Tag 20:00
Name:
!Join
- '-'
- - Ref: Prefix
- Ref: Title
- "20-00_CET"
FlexibleTimeWindow:
Mode: FLEXIBLE
MaximumWindowInMinutes: 1
ScheduleExpressionTimezone: Europe/Zurich
ScheduleExpression: "cron(0 20 * * ? *)"
State: "ENABLED"
Target:
Arn:
Fn::GetAtt:
- LambdaInstSchedDispatcher
- Arn
#RoleArn: Fn::GetAtt: [ "<which role to use?>", "Arn" ] -> without this key an error is thrown
Input: '{"action": "stop", "TagValues":["20:00"]}'
#here I add permissions that "TriggerStop20dailyCET" can trigger "LambdaInstSchedDispatcher" function
PermissionAForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !Ref LambdaInstSchedDispatcher
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn:
Fn::GetAtt:
- TriggerStop20dailyCET
- Arn
#...
Rather than using a permission (this is how it was done with Eventbridge Rules) Schedule uses IAM roles. In other words, instead of permissions you just need to create an IAM role.
Here is one that is working for me:
SchedulerScheduleRole:
Type: AWS::IAM::Role
Properties:
Description: your-description
RoleName: your-role-name
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- scheduler.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: your-policy-name
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "lambda:InvokeFunction"
Resource:
Fn::GetAtt:
- LambdaInstSchedDispatcher
- Arn