Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

support lambda actions for IoT topic rules

See original GitHub issue

Very similar to #555

There does not appear to be an automatic way to add permissions (the “Function Policy”) to the Lambda which is invoked from an IoT Topic Rule.

I obviously was not expecting the below to work since there is no explicit link between the IoT rule and the Lambda (since IoT does not appear to be supported by lambda-event-sources)

  • The IoT rule is created with Lambda as its target
  • The Lambda is created with no trigger (nothing visible on the console)
  • No Function Policy exists on the Lambda

Upon “editing” the IoT rule through the console, AWS helpfully says “we’ll handle the Lambda permissions for you” - would be nice if this happened through the CDK

Reproduction Steps

const motaAckLambda = new lambda.Function(this, 'MotaGwAck', {
    code: lambda.Code.fromAsset('apps/stacks/hw-mgmt/fota/dist/'),
    handler: 'fotaAck.handler',
    runtime: lambda.Runtime.NODEJS_10_X,
const lambdaIotAction: LambdaActionProperty = {
    functionArn: motaAckLambda.functionArn,
const iotFwdRule = new iot.CfnTopicRule(this, 'IotLambFwdRule', {
    topicRulePayload: {
        actions: [
                lambda: lambdaIotAction,
        ruleDisabled: false,
        sql: `SELECT soemthing FROM 'somewhere'`,
        awsIotSqlVersion: '2016-03-23',

Error Log

The IoT rule does NOT trigger the lambda and, in fact, I don’t think the rule triggers at all (no error is logged in the verbose IoT logs in CloudWatch)


  • CLI Version :1.18.0
  • Framework Version: 1.18.0
  • OS : Mac
  • Language : TypeScript


Removing the policy

  • Whilst experimenting with this (to reproduce), if you need to remove the policy (you cannot do it through the console)
➜  ~ aws lambda get-policy --function-name functionArn
# Get the statement SID from here
➜  ~ aws lambda remove-permission --function-name functionArn --statement-id retrievedAbove

Current approach

My current approach (which I can confirm does work)

Everything as above and append:

motaAckLambda.addPermission('AllowIoTInvoke', {
    principal: new ServicePrincipal(''),
    sourceArn: iotFwdRule.attrArn,

It’s unclear if this is the suggested fix (because IoT has notoriously never had a huge amount of documentation) but its working. Still, would be nice if IoT worked in the same way as almost every other Lambda event trigger

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:12
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

nija-atcommented, Jan 3, 2020

As you’ve noted, using Lambda’s addPermission() method is the best workaround.

This issue is not a bug, but a feature gap. Ideally, we would have a way to configure a lambda function, dynamo table or SNS topic directly into an IoT rule as an action.

Unfortunately, we don’t yet have full support of IoT in the CDK, and only support Cfn* constructs. Any required permissions would be correctly modeled and granted when we have full support.

If this was built out, it would be modeled as a secondary module of IoT, named something like @aws-cdk/aws-iot-actions and the code would look something like -

const fn = new lambda.Function(this, 'myfunction',  { ... });
const rule = new iot.Rule(this, 'myrule', { ... });
rule.addAction(new LambdaAction({
  handler: fn,

The addAction() and the LambdaAction classes in conjunction would take care of assigning the right permission.

@shivlaks - does this seem reasonable to you? Would you consider this a gap with the IoT construct library support?

yamatatsucommented, Nov 9, 2021
Read more comments on GitHub >

github_iconTop Results From Across the Web

Lambda - AWS IoT Core
A Lambda ( lambda ) action invokes an AWS Lambda function, passing in an MQTT message. AWS IoT invokes Lambda functions asynchronously.
Read more >
Tutorial Part 2: AWS IoT + Rules + Lambda Function ... - Medium
When the incoming IoT message, the AWS IoT Core triggers the rule, the rule invokes your Lambda function asynchronously and passes data from...
Read more >
Lambda - Amazon IoT Core - 亚马逊云科技
Use the Lambda rule action to send an MQTT message from Amazon IoT to an Amazon Lambda function.
Read more >
AWS IoT & Lambda: Triggering function using rule A works but ...
The "IoT client": A program that runs in IoT devices, connects to AWS and publishes/subscribes to topics, · a Lambda function with two...
Read more >
aws_iot_topic_rule | Resources | hashicorp/aws
function_arn - (Required) The ARN of the Lambda function. ... IoT Topic Rules can be imported using the name , e.g., $ terraform...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found