AWS EventBridge Scheduler: Resolving the "Target Needs RoleArn" Error in CloudFormation
Problem: You're setting up an AWS EventBridge Scheduler to trigger a Lambda function in CloudFormation, but you get the error "Target needs RoleArn" even though you've granted permissions directly to the Lambda function.
Rephrased: You're trying to automate a scheduled task using EventBridge, but it's throwing an error even though you've explicitly given your Lambda function the required permissions.
Scenario & Code:
Let's say you have a Lambda function named my-scheduled-function and you want it to run every day at 10:00 AM. You've added the necessary permissions to the Lambda function's execution role to allow EventBridge to invoke it. However, when you define the EventBridge Scheduler in your CloudFormation template, you receive the "Target needs RoleArn" error.
Here's a snippet of a CloudFormation template demonstrating this issue:
Resources:
MyScheduledFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs18.x
CodeUri: s3://my-bucket/my-function.zip
Policies:
- AWSLambdaBasicExecutionRole
Permissions:
- EventBridgeInvoke
MyScheduler:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: 'cron(0 10 * * ? *)'
Targets:
- Id: 'MyLambdaTarget'
Arn: !GetAtt MyScheduledFunction.Arn
# This line is causing the error
RoleArn: !GetAtt MyScheduledFunction.Arn
Analysis:
The error arises because EventBridge Scheduler, unlike regular EventBridge rules, doesn't directly invoke targets based on permissions. It requires a specific EventBridge scheduler role to be assigned to the target resource. This role acts as an intermediary, authorizing the EventBridge scheduler to trigger the target.
Solution:
-
Create an EventBridge Scheduler Role: This role will be granted permissions to invoke the Lambda function. You can define this role in your CloudFormation template:
Resources: MySchedulerRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: events.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: EventBridgeSchedulerInvokeLambda PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - lambda:InvokeFunction Resource: !GetAtt MyScheduledFunction.Arn -
Assign the Role to the Target: Now, associate this newly created role with your Lambda function in the EventBridge Scheduler resource:
Resources: MyScheduler: Type: AWS::Events::Rule Properties: ScheduleExpression: 'cron(0 10 * * ? *)' Targets: - Id: 'MyLambdaTarget' Arn: !GetAtt MyScheduledFunction.Arn RoleArn: !GetAtt MySchedulerRole.Arn
Explanation:
By creating a dedicated EventBridge Scheduler role and assigning it to the Lambda function within the Scheduler definition, you explicitly grant the EventBridge service the necessary permissions to invoke your target. This eliminates the "Target needs RoleArn" error.
Additional Value:
- Security Best Practices: Using dedicated roles for EventBridge Scheduler targets improves security by enforcing the principle of least privilege.
- Simplified Management: This approach allows you to manage permissions for EventBridge Scheduler targets separately from the target's own execution role.
- Enhanced Control: You can use different roles for different EventBridge Scheduler targets, granting granular control over which services can trigger your resources.
References:
Conclusion:
Understanding the role of EventBridge Scheduler roles is crucial for successfully configuring scheduled events in CloudFormation. By following the steps outlined above, you can ensure your targets are properly authorized and prevent the "Target needs RoleArn" error.
