Amazon AWS Lambda

introduction this guide tells you how to authenticate the amazon aws lambda connector in swimlane using aws access keys and (optionally) an assumable iam role you will create or identify an iam principal, generate credentials, assign the required permissions to invoke lambda functions, collect required identifiers, and configure the connector asset in swimlane prerequisites aws access requirements you must have aws permissions to create or manage iam users (or another iam principal) for programmatic access create and manage iam roles (optional, if you will use role assumption) create and manage iam policies/permissions for aws lambda view the aws region where your lambda functions are deployed required credentials during setup, you will collect aws access key id aws secret access key aws region (region name) role arn (role arn) – required by this connector required permissions at minimum, the iam role used by the connector must be allowed to invoke the target lambda function(s) if you use role assumption, the calling iam principal must also be allowed to assume the role minimum iam permissions typically include lambda\ invokefunction (on the specific function arn(s) you will invoke) sts\ assumerole (only if you are using role assumption via role arn) aws setup take the following steps to create (or identify) an iam user for programmatic access log in to the aws management console open the iam console in the left navigation pane, select users select an existing user (recommended) or create a new user for programmatic access take the following steps to generate an access key for the iam user from iam, open the selected user open the security credentials tab under access keys , click create access key select the appropriate use case (for example, command line interface (cli) or application running outside aws) click next , optionally add a description tag, then click create access key copy and securely store the access key and secret access key you will not be able to view the secret access key again after you close this window take the following steps to create an iam role for the connector to assume (role arn) in the iam console, select roles , then click create role for trusted entity type , select aws account (or the appropriate trusted entity for your environment) in the trust policy, allow the iam principal used by swimlane (for example, your iam user or your aws account) to assume the role using sts\ assumerole attach (or create and attach) a permissions policy that allows lambda\ invokefunction for the required lambda function arn(s) name the role and create it open the newly created role and copy the role arn this value will be used as role arn in swimlane connector configuration in swimlane take the following steps to configure the amazon aws lambda connector asset in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets click the plus icon to open the configure your connector asset window select amazon aws lambda from the asset type list fill in the asset settings and asset input as shown field description required/optional aws access key id aws access key id for the iam principal used for authentication required aws secret access key aws secret access key paired with the access key id required region name aws region where the target lambda function is deployed (for example, us east 1) required role arn iam role arn that the connector will assume to invoke lambda functions required verify ssl enable/disable ssl verification optional http proxy optional proxy configuration optional fields with marks are required click create troubleshooting if authentication fails or actions return authorization errors verify the access key id and secret access key are correct and active for the iam user confirm region name matches the region where the lambda function exists if using role arn, confirm the role arn is correct and the role trust policy allows the calling iam principal to assume it (sts\ assumerole) confirm the assumed role has lambda\ invokefunction permission for the target function arn(s) if you receive accessdeniedexception when invoking a function, check the lambda function resource policy (if used) and the role policy for the exact function arn and qualifier (versions/aliases) if requests fail behind a corporate proxy, configure http proxy and confirm proxy allows outbound connectivity to aws endpoints result you have successfully authenticated the amazon aws lambda connector in swimlane sources aws iam user guide – managing access keys for iam users https //docs aws amazon com/iam/latest/userguide/id credentials access keys html https //docs aws amazon com/iam/latest/userguide/id credentials access keys html aws iam user guide – security credentials https //docs aws amazon com/iam/latest/userguide/security creds html https //docs aws amazon com/iam/latest/userguide/security creds html aws sts api reference – assumerole https //docs aws amazon com/sts/latest/apireference/api assumerole html https //docs aws amazon com/sts/latest/apireference/api assumerole html aws lambda service authorization reference (iam actions such as lambda\ invokefunction) https //docs aws amazon com/service authorization/latest/reference/list awslambda html https //docs aws amazon com/service authorization/latest/reference/list awslambda html aws lambda developer guide https //docs aws amazon com/lambda/latest/dg/welcome html https //docs aws amazon com/lambda/latest/dg/welcome html