I am trying to make a simple step function workflow but something really, really strange is happening.
I am trying to chain a "putItem" inside a dynamoDB, with a basic lambda. I am quite literally following the documentation step by step, yet somehow I get this error:
{
"resourceType": "lambda",
"resource": "invoke",
"error": "Lambda.AWSLambdaException",
"cause": "The role defined for the function cannot be assumed by Lambda. (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: b90b985a-1aca-4c5c-a340-df9b3dcdfcf7; Proxy: null)"
}
As I said, I literally followed the documentations steps, in particular flagging create role for the lambda function at creation of the state machine.
This is the autogenerated code of the state machine:
{
"Comment": "A description of my state machine",
"StartAt": "DynamoDB PutItem",
"States": {
"DynamoDB PutItem": {
"Type": "Task",
"Resource": "arn:aws:states:::dynamodb:putItem",
"Parameters": {
"TableName": "CustomerOrderTable",
"Item": {
"orderId": {
"S.$": "$.orderId"
},
"customerId": {
"S.$": "$.customerId"
}
}
},
"Next": "Lambda Invoke"
},
"Lambda Invoke": {
"Type": "Task",
"Resource": "arn:aws:states:::lambda:invoke",
"OutputPath": "$.Payload",
"Parameters": {
"Payload.$": "$",
"FunctionName": "arn:aws:lambda:eu-central-1:597598337678:function:Test:$LATEST"
},
"Retry": [
{
"ErrorEquals": [
"Lambda.ServiceException",
"Lambda.AWSLambdaException",
"Lambda.SdkClientException",
"Lambda.TooManyRequestsException"
],
"IntervalSeconds": 2,
"MaxAttempts": 6,
"BackoffRate": 2
}
],
"End": true
}
}
}
Is there something I need to change here? Or where could the problem be? I am really clueless.
Thank you for any help 🙂
2
Answers
The issue was the fact that I was using a test lambda that I created to which I granted only specific permissions. Thus, always double and triple check permissions.
You must ensure the execution role you assign to your Lambda has a trust relationship with Lambda so that it can use the role. To do so, your trust relationship should look like this:
You can get more information on this here.
If you are following this tutorial, it makes it clear that the role you create should be using the option that states Create a new role with basic Lambda permissions. which will create the trust relationship for you.