EventBridge 调用 Lambda 作为目标

Question

We are designing a solution which has a Lambda function as a source and another Lambda function as a target to EventBridge. I read that for the put_rule part, the RoleArn has the ARN for the role which the rule will use needs to have the permission to invoke the target Lambda function. But for Lambda we don't use IAM roles, but use resource bases policies instead.

The question is, where we are specifying the resource based policy in the code. In the RoleArn ? And what's the fields in the targets part for the target Lambda function?

eventclient = boto3.client('events')

response = eventclient.put_rule(
    Name='notificationScheduler',
    ScheduleExpression='at(2023-02-01T02:30:00)',
    State='ENABLED',
    Description='schedule notifications reminders '
    **RoleArn**='string', ## The ARN for the role which the rule will use needs to have the permission to invoke the target lambda function
)

response = eventclient.put_targets(
    Rule='notificationScheduler',
    Targets=[{ ??? }]
)

Answer 1

You must use a Lambda resource policy to grant EventBridge invoke permissions, not a role.

Docs : Amazon SQS, Amazon SNS, Lambda, CloudWatch Logs, and EventBridge bus targets do not use roles, and permissions to EventBridge must be granted via a resource policy. API Gateway targets can use either resource policies or IAM roles.

Create the Lambda permissions (= resource policy) with the AddPermission API:

lambdaclient.add_permission(FunctionName=func_name, StatementId="MyPermissionId", Action="lambda:Invoke", Principal="events.amazonaws.com")

Add the Lambda function as a rule target by ARN:

eventclient.put_targets(Rule="notificationScheduler",  Targets=[{"Id": "MyLambdaTarget", "Arn": func_arn }])