https://serverless-stack.com/ logo
Join Slack
Powered by
I’m trying to publish events from a function to an...
# help
c
I’m trying to publish events from a function to an EventBridge bus in another service’s stack (e.g. a common, custom bus that is located within separate project but the same AWS account). I’ve created a test project to try to send and receive events from this external service but I seem to be running in circles trying to get the permissions to work correctly. In the stack code (in thread) I created a local reference to the external bus (line 42) and have tried a variety of syntaxes to allow the ‘publish’ function to utilize it (lines 105-121) but all of these hit the same error -
Copy code
error: AccessDeniedException: User: arn:aws:sts::635813714697:assumed-role/dev-si-install-event-tes-PublishEndpointLambdaPOS-1DZZ050R2GA5Z/dev-si-install-event-test-PublishEndpointLambdaPOS-fgyGrM4H3RQT is not authorized to perform: events:PutEvents on resource: arn:aws:events:us-east-1:635813714697:event-bus/default because no identity-based policy allows the events:PutEvents action
Ideally I’d like to add least permissions to the function (grantPutEventsTo). Any ideas where I’m getting this wrong? Thanks
t
Hey I do the same thing but here's what I have
Copy code
const bus = new sst.EventBus(this, "Bus", {
      eventBridgeEventBus: events.EventBus.fromEventBusName(
        this,
        "BusInner",
        ssm.BUS_NAME
      ),
    })

    app.addDefaultFunctionPermissions([
      bus,
    ])
c
Ah, ok, thanks Dax. So adding it as a default prop is working? That’s good to hear. Do you know if there’s a way to scope those permissions a bit more to specific functions or rights? Not sure why it’s borking when I try to do that directly in the stack
t
so this isn't working:
Copy code
publish.attachPermissions([
      eventHubBus
    ]);
c
Nope. All 3 syntaxes seem to produce same error
t
is the issue in your code? It looks like it's publishing to 
event-bus/default
- isn't that the precreated one?
c
Hmmm.. maybe
I may be a bit confused on how to use SDK to send things to EB
It looked like you had to create an EB client and I wasn’t sure if routing to correct bus happened via params
Current handler code
t
Can you log process.env.BUS_ARN to make sure it's right
Your code looks right, I haven't updated to sdkv3 yet so I don't know the api as well
But if it's not getting an event bus name it defualts to the default bus which will error
c
Interesting - 
process.env.BUS_ARN
is coming up as undefined. Hmmm…
t
in the aws ui, if you find the function and check its env variables is it set?
c
is this right way to pass it in from stack?
Copy code
const publish = new sst.Function(this, 'Publish', {
      handler: 'src/handler.publish',
      environment: {
        BUS_ARN: subsystemEventHubBusArn,
      },
    });
I’ll check
t
ah I think it expects the bus name, not the ARN
Think you can do 
BUS_NAME: eventHubBus.eventBusName
c
Maybe, I was going from this which suggested it could use ARN too
It’s still weird that BUS_ARN value isn’t passing in to the function from some reason
I think the vars not passing in (or being available) may be crux of it – is there a way to check or log what values are being loaded in CDK before they’re passed?
t
I don't think so - if you log it in your cdk code do you get undefined or some TOKEN123 thing
c
Yep, seeing that now. Does TOKENxxx mean it’s an actual value and at least not null? 😂
t
yeah it should be getting passed through I'm not sure why its' not
can you check in the aws lambda console to see if it's in the environment tab
under the function settings
c
You bet - looking now
They are showing up there. Tried passing a simple string from stack to function too (my name) which is also logging as undefined in function for some reason -
t
and is this under SST start mode?
c
yep, via 
npm run start
t
can you make a simple test function that does nothing but print 
process.env
and see what you get
c
sure, one sec
@thdxr got it - is there a specific piece you’re interested in or helpful to see whole thing (scrubbed of ids)?
t
So even with the simple function the right variables aren't coming down?
Are you seeing anything like AWS_SESSION_TOKEN or the like
can you DM me your debug.log?
c
yep, you bet - thanks
Was able to finally sort this out. In case anyone else runs into similar issue - It looks like I didn’t realize the API Construct automatically creates functions under the covers for its defined routes. I had created and tried to pass vars to a Function that wasn’t actually being hit, and the vars were not being passed to API’s implicitly created function. So instead needed to be doing something like this –
Copy code
const api = new sst.Api(this, 'Publish Endpoint', {
  routes: {
    'POST /': {
      function: {
        srcPath: "src/",
        handler: "handler.publish",
        environment: { BUS_ARN: subsystemEventHubBusArn },
        permissions: [ eventHubBus ],
      },
    },
  },
});
Open in Slack
PreviousNext
Powered by