Why wasn't my Lambda function triggered by my EventBridge rule?

Last updated: 2022-08-10

I created an Amazon EventBridge rule using the AWS Command Line Interface (AWS CLI), API, or AWS CloudFormation. However, the target AWS Lambda function is not getting invoked. When I create or update the same EventBridge rule through the AWS Management Console, the rule works correctly. How can I troubleshoot this?

Short description

When creating an EventBridge rule with a Lambda function as the target, keep the following in mind:

  • When using the EventBridge console to create the rule, the appropriate permissions are added to the function's resource policy automatically.
  • When using the AWS CLI, SDK, or AWS CloudFormation to create the same rule, you must manually apply the permissions in the resource policy.

The permissions grant the Amazon EventBridge service access to invoke the Lambda function.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Review CloudWatch metrics for the EventBridge rule

  1. Open the CloudWatch console.
  2. From the navigation pane on the left, under Metrics, select All Metrics.
  3. Select the AWS/Events namespace.
  4. Select Invocations and FailedInvocations metrics for the rule that you're reviewing.

Invocation datapoints indicate that the target was invoked by the rule. If FailedInvocations data points are present, then there is an issue invoking the target. FailedInvocations represent a permanent failure and might be the result of incorrect permissions or a misconfiguration of the target.

Confirm appropriate permissions in the Lambda function resource-policy

  1. Open the AWS Lambda console.
  2. Select the target function.
  3. Select the Configuration tab, and then choose Permissions.
  4. Under the Resource-based policy section, review the policy document.

The following is a sample resource policy that allows EventBridge to invoke the Lambda function:

{
  "Effect": "Allow",
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:region:account-id:function:function-name",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Condition": {
    "ArnLike": {
      "AWS:SourceArn": "arn:aws:events:region:account-id:rule/rule-name"
    }
  },
  "Sid": "InvokeLambdaFunction"
}

Note: Replace the ARN with the appropriate Region, account ID, and resource name before deploying.

Or, you can use the GetPolicy API to retrieve the Lambda function's resource policy.

If the existing resource policy doesn't contain the necessary permissions, then update the policy using the preceding steps as reference. You can also update the policy using the AddPermission command in the AWS CLI. The following is an example of the AddPermission command:

aws lambda add-permission \
--function-name MyFunction \
--statement-id MyId \
--action 'lambda:InvokeFunction' \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/MyRule

Add an Amazon SQS Dead Letter Queue to the target

EventBridge uses Amazon Simple Queue Service (Amazon SQS) DLQs to store events that couldn't be delivered to a target. An SQS DLQ can be attached to the target reporting FailedInvocations. Events can be retrieved from the DLQ and analyzed to obtain more context on the issue. After remediation is completed, previously failed events can be resent to the target for processing.

  1. Open the relevant rule in the EventBridge console.
  2. Under Targets, select Edit, and then expand the Additional settings section.
  3. Under Dead-letter queue, choose Select an Amazon SQS queue in the current AWS account to use as the dead-letter queue.
  4. Select an SQS queue to use as the DLQ.
  5. After the DLQ is assigned, complete the remaining steps in the Edit Rule section to save the changes.