Unable to invoke Lambda function

Question

I have created an AWS transfer family SFTP server which is using a lambda function for authentication. When I try to login into the SFTP. I am getting the following error:

    "method": "password",
    "activity-type": "AUTH_FAILURE",
    "source-ip": "172.105.39.41",
    "resource-arn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456",
    "message": "Unable to invoke Lambda function: arn:aws:lambda:us-east-2: 123456789012:function:SFTP-Lambda",
    "user": "user"

The lambda has the following Invoke permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "transfer.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-2:123456789012:function:SFTP-Lambda",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:transfer:us-east-2:123456789012:server/s-123456"
      
    }
      }
      }
  ]
}

Can someone please what needs to be added here so that I can use the lambda for authentication.?

I am trying to follow the following documentation, but looks like the IAM permissions provided is not working as expected: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Answer 1

You need to granted AWS Transfer Family the necessary permission to invoke our Lambda function:

To do this run:

aws lambda add-permission --function-name SFTP-Lambda --action lambda:InvokeFunction --statement-id transfer --principal transfer.amazonaws.com --output text

Answer 2

Have you assigned the permission to run the lambda to the transfer service?

aws lambda add-permission --function-name --action lambda:InvokeFunction --statement-id transfer --principal transfer.amazonaws.com --output text