Developer Guide

Lambda Action

A lambda action calls a Lambda function, passing in the MQTT message that triggered the rule. In order for AWS IoT to call a Lambda function, you must configure a policy granting the lambda:InvokeFunction permission to AWS IoT. Lambda functions use resource-based policies, so you must attach the policy to the Lambda function itself. Use the following CLI command to attach a policy granting lambda:InvokeFunction permission:

aws lambda add-permission --function-name "function_name" --region "region" --principal --source-arn arn:aws:iot:us-east-2:account_id:rule/rule_name --source-account "account_id" --statement-id "unique_id" --action "lambda:InvokeFunction"

The following are the arguments for the add-permission command:


Name of the Lambda function whose resource policy you are updating by adding a new permission.


The AWS region of your account.


The principal who is getting the permission. This should be to allow AWS IoT permission to call a Lambda function.


The ARN of the rule. You can use the get-topic-rule CLI command to get the ARN of a rule.


The AWS account where the rule is defined.


A unique statement identifier.


The Lambda action you want to allow in this statement. In this case, we want to allow AWS IoT to invoke a Lambda function, so we specify lambda:InvokeFunction.


If you add a permission for an AWS IoT principal without providing the source ARN, any AWS account that creates a rule with your Lambda action can trigger rules to invoke your Lambda function from AWS IoT

For more information, see Lambda Permission Model.

When creating a rule with a lambda action, you must specify the Lambda function to invoke when the rule is triggered.

The following JSON example shows a rule that calls a Lambda function:

{ "rule": { "sql": "SELECT * FROM 'some/topic'", "ruleDisabled": false, "actions": [{ "lambda": { "functionArn": "arn:aws:lambda:us-east-2:123456789012:function:myLambdaFunction" } }] } }

For more information, see the AWS Lambda Developer Guide.