aws batch: submit job using lambda

Asked 16/11, 2017 at 13:34 Answered 16/11, 2017 at 14:2

Solved amazon-web-services aws-lambda roles aws-batch

Context: AWS, S3, Lambda, Batch.

I have a lambda that is triggered when a file is uploaded in a S3 Bucket. I want that the lambda submit a Batch job.

(edit: Between S3 and Lambda everything works fine. The problem is between Lambda and Batch.)

Q: What is the role I have to give to the lambda in order to be able to submit the batch job?

My lambda gets an AccessDeniedException and fail to submit the job when:

const params = {
  jobDefinition: BATCH_JOB_DEFINITION,
  jobName: BATCH_JOB_NAME,
  jobQueue: BATCH_JOB_QUEUE,
};

Batch.submitJob(params).promise() .then .......

Andresandresen answered 16/11, 2017 at 13:34 Comment(0)

It seems that this was the role I was looking for: batch:SubmitJob. Using this role, the lambda was able to submit the job.

iamRoleStatements:
  - Effect: Allow
    Action:
      - batch:SubmitJob
    Resource: "arn:aws:batch:*:*:*"

Andresandresen answered 16/11, 2017 at 14:2 Comment(3)

Hi Costin. How did you figure out how to do this? Specifically, how did you realize the action you needed was SubmitJob? And how did you know the resource had to be arn:aws:batch:*:*:*? I see the resource has the same pattern as some other examples I found online (e.g. n2ws.com/blog/aws-automation/lambda-function-s3-event-triggers). But what is the difference between arn:aws:batch:*:*:* and batch:*? – Gurney 25/3, 2019 at 20:18

I do not remember where I've seen it, but I thing there was a lucky guess from the AWS Batch - Actions page. The arn:aws:batch:*:*:* follows the ARN syntax. Once you understand how it is built you'll be able to target any AWS resource, with closed eyes :) – Andresandresen 25/3, 2019 at 21:33

It might be good to restrict the resources available (e.g. don't want your testing lambda to deploy to a batch instance in production) – Hydrobomb 9/7, 2019 at 13:21

You can Create a Policy like AWS Batch Managed Policy,

The following Policy Allows Admin Access,You can modify it as per your needs:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "batch:*",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "ecs:DescribeClusters",
                "ecs:Describe*",
                "ecs:List*",
                "logs:Describe*",
                "logs:Get*",
                "logs:TestMetricFilter",
                "logs:FilterLogEvents",
                "iam:ListInstanceProfiles",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": ["iam:PassRole"],
            "Resource": [
                "arn:aws:iam::*:role/AWSBatchServiceRole",
                "arn:aws:iam::*:role/ecsInstanceRole",
                "arn:aws:iam::*:role/iaws-ec2-spot-fleet-role",
                "arn:aws:iam::*:role/aws-ec2-spot-fleet-role",
                "arn:aws:iam::*:role/AWSBatchJobRole*"
            ]
        }
    ]
}

Attach the policy to lambda and try it again , Refer AWS Documentation

Fishwife answered 16/11, 2017 at 13:51 Comment(3)

Thanks Kush. There is no problem between S3 and Lambda. The problem is that Lambda can not launch the Batch (job). – Andresandresen 16/11, 2017 at 13:54

Sorry Kush, but this is not the answer. These are the roles for the Batch. What I was looking for is the role for the Lambda. The role which enables submitJob() from within a lambda. Thanks. – Andresandresen 16/11, 2017 at 14:40

But it can be achieved in that way also refer the aws documentaion – Fishwife 16/11, 2017 at 15:3

Recommended topics

Hot tags