Context: AWS, S3, Lambda, Batch.
I have a lambda that is triggered when a file is uploaded in a S3 Bucket. I want that the lambda submit a Batch job.
(edit: Between S3 and Lambda everything works fine. The problem is between Lambda and Batch.)
Q: What is the role I have to give to the lambda in order to be able to submit the batch job?
My lambda gets an AccessDeniedException
and fail to submit the job when:
const params = {
jobDefinition: BATCH_JOB_DEFINITION,
jobName: BATCH_JOB_NAME,
jobQueue: BATCH_JOB_QUEUE,
};
Batch.submitJob(params).promise() .then .......
It seems that this was the role I was looking for: batch:SubmitJob
. Using this role, the lambda was able to submit the job.
iamRoleStatements:
- Effect: Allow
Action:
- batch:SubmitJob
Resource: "arn:aws:batch:*:*:*"
Hi Costin. How did you figure out how to do this? Specifically, how did you realize the action you needed was
SubmitJob
? And how did you know the resource had to bearn:aws:batch:*:*:*
? I see the resource has the same pattern as some other examples I found online (e.g. n2ws.com/blog/aws-automation/lambda-function-s3-event-triggers). But what is the difference betweenarn:aws:batch:*:*:*
andbatch:*
?I do not remember where I've seen it, but I thing there was a lucky guess from the AWS Batch - Actions page. The
arn:aws:batch:*:*:*
follows the ARN syntax. Once you understand how it is built you'll be able to target any AWS resource, with closed eyes :)It might be good to restrict the resources available (e.g. don't want your testing lambda to deploy to a batch instance in production)