Open in app

Sign in

Write

Sign in

aws-讓lambda跨region被呼叫

sasa :)
6 min readJun 29, 2018

--

起因:在多個region用cloudwatch即時監控相關資訊,並將需要的資訊拋進slack/line。但又因為cloudwatch只能呼叫自己region內的sns/lambda,因此想說看可不可以跨region or account去做呼叫,這樣我的lambda只需要maintain一隻就夠。

爬了一些地方,都沒看到解法

後來詢問了專業的,說可以用cli去控制lambda的權限讓他cross region呼叫

因此調整了估狗關鍵字後找到了這篇文章

Four AWS CLI Commands to Set Up a Cross-Region/Account SNS Topic Subscription & Permissions |…

As I mentioned in my previous post, you can subscribe an AWS SNS topic in one region/account to a Lambda function in a…

www.rainingforks.com

謝謝這位高手讓我終於搞定這件事。

以下針對上面玩完後做些筆記:

目前情境:lambda在Tokyo,要讓Virginia的sns可以呼叫

lambd@tokyo先建立好

sns cli的文件可以看這裡

1. 在Virginia建一個sns topic

aws sns create-topic --name aws-check-info --region "us-east-1"

region要指定喔~ 不然他會跑去aws configure裡面預設的region

按下enter後會回傳

{
“TopicArn”: “arn:aws:sns:us-east-1:11111111:aws-check-info”
}

2. 給這個sns權限

aws sns add-permission --topic-arn arn:aws:sns:us-east-1:11111111:aws-check-info --label lambdaAccess --aws-account-id 11111111 --action-name Subscribe ListSubscriptionsByTopic Receive --region "us-east-1"

若語法正確,按下enter後就結束這回合(對,沒有任何回傳的東西)

簡單翻譯一下上面指令

在sns add-permission中必填參數有四個
* topic-arn:要開權限改哪個arn
* label:一個標籤(隨便打)
* aws-account-id:你要開給哪一個account-id做使用(因為是開給自己的另外region用,所以是自己的account-id)
* action-name:開什麼權限

region:這個sns所在的region

3. 在lambda裡面加權限

aws lambda add-permission --function-name "system-alert-to-slack" --statement-id "Lambda-system-alert-to-slack-us-east-1" --action "lambda:InvokeFunction" --principal sns.amazonaws.com --source-arn arn:aws:sns:us-east-1:11111111:aws-check-info --region "ap-northeast-1"

再來翻譯一下指令 lambda cli可以看這裡

在lambda add-permission也有四個必填參數
* function-name:要呼叫的lambda function name
* statement-id:隨便key的一個key值
* action:可以授權給人家lambda的什麼權限
* principal:誰可以拿到這個permission(以此範例就是sns阿)
region:指的是這個lambda的region喔~

按下enter後會回傳
{
"Statement": "{\"Sid\":\"Lambda-system-alert-to-slack-us-east-1\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"sns.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:ap-northeast-1:11111111:function:system-alert-to-slack\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:sns:us-east-1:11111111:aws-check-info\"}}}"
}

我之前就在lambda add-permission這裡卡很久

終於過關趕快寫下來XD

4. create sns subscribe

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:11111111:aws-check-info --protocol lambda --notification-endpoint arn:aws:lambda:ap-northeast-1:11111111:function:system-alert-to-slack --region "us-east-1"

再來翻譯一下指令

在sns subscribe有二個必填參數
* topic-arn:咱們sns的arn
* protocol:lambda(指的是要用什麼方式傳送這個訊息)
notification-endpoint:要引用的lambda的arn(這個

回傳這個表示搞定
{
"SubscriptionArn": "arn:aws:sns:us-east-1:518375879370:aws-check-info:6b35cdaa-d5f0-4ecc-8594-33918e67a1e7"
}

以上,終於搞定

謝謝收看~

是說aws新手上路,問題蠢蠢請各看官多多包涵 😄

有錯也煩請指正

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

AWS Lambda
Cross Region

--

--

sasa :)
sasa :)

Written by sasa :)

13 Followers
5 Following

目標是做一個讓所有人都聽得懂技術語言的transfer person

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams