The ErrorYouâve built your EventBridge rule, linked it to a Lambda function, and waited for the trigger. Nothing happens. No logs appear in CloudWatch, and the function stays idle. If you dig into the EventBridge metrics or test the trigger via the CLI, youâll likely hit this wall:
The service principal events.amazonaws.com does not have permission to invoke the resource: arn:aws:lambda:us-east-1:123456789012:function:my-function-name
Why This HappensAWS Lambda security relies on two different types of permissions. Most developers are familiar with IAM Roles, which define what a Lambda can access. However, Resource-based Policies work in reverse. They define which external services, like EventBridge, are allowed to knock on the Lambdaâs door.
When you use the AWS Console to create a rule, AWS silently adds this permission for you. But if you use automationâlike Terraform, the CLI, or CloudFormationâthis step is often skipped. Without an explicit "allow" statement, Lambda rejects the request from EventBridge for security reasons.
How to Fix It### Method 1: Using the AWS CLI (The Quickest Fix)If you need a solution right now, the CLI is your best bet. You can manually inject the required permission statement into your function's policy. This tells AWS that the EventBridge service is a trusted caller.
Run this command in your terminal. Be sure to swap the placeholders with your actual function name and Rule ARN:
aws lambda add-permission \n --function-name MyDataProcessor \n --statement-id EventBridgeTriggerConfig \n --action 'lambda:InvokeFunction' \n --principal events.amazonaws.com \n --source-arn arn:aws:events:us-east-1:123456789012:rule/DailyCleanupRule
```- **function-name**: The name of your specific Lambda.- **statement-id**: A unique label for this rule (e.g., "AllowCronTrigger").- **principal**: This must be `events.amazonaws.com`.- **source-arn**: This limits the permission so *only* this specific rule can trigger the function, preventing other rules in your account from doing so.### Method 2: Using the AWS Management Console- Open the **AWS Lambda Console** and click on your function.- Select the **Configuration** tab, then click **Permissions** in the left sidebar.- Locate the **Resource-based policy statements** section and click **Add permissions**.- Choose **AWS Service** and select **Other**.- Fill in the details:**Statement ID**: Give it a clear name like `EventBridgeInvokePermission`.- **Principal**: Type `events.amazonaws.com`.- **Source ARN**: Paste the full ARN of your EventBridge Rule.- **Action**: Select `lambda:InvokeFunction`.- Click **Save**.### Method 3: Infrastructure as Code (Terraform)Hard-coding fixes in the console is a recipe for "configuration drift." If you manage your infrastructure with Terraform, you must include an `aws_lambda_permission` block. This ensures the permission persists through every deployment.
resource "aws_lambda_permission" "allow_eventbridge" {\n statement_id = "AllowExecutionFromEventBridge"\n action = "lambda:InvokeFunction"\n function_name = aws_lambda_function.my_lambda.function_name\n principal = "events.amazonaws.com"\n source_arn = aws_cloudwatch_event_rule.my_schedule.arn\n}
## VerificationDid it work? You can verify the current policy by running a quick inspection command:
aws lambda get-policy --function-name MyDataProcessor
Look for a JSON block where the `Effect` is `Allow` and the `Principal` matches the EventBridge service. Once confirmed, wait for the next scheduled run. You should see the **Invocations** count rise in the Monitoring tab of your Lambda function.
## Final Troubleshooting CheckStill seeing issues? Check these three common culprits:
- **Region Lock**: EventBridge rules cannot trigger Lambda functions located in a different AWS Region. Both must reside in `us-east-1`, for example.- **Rule State**: Ensure the rule status is toggled to "Enabled."- **JSON Syntax**: If your rule passes a custom JSON payload, a single missing comma will cause the invocation to fail silently.When I'm writing deployment scripts to automate these fixes, I often use [ToolCraft's Unix Permissions Calculator](https://toolcraft.app/en/tools/developer/unix-permissions). It helps me quickly set the right `chmod` values for my shell scripts without having to memorize the octal math. It's a simple, privacy-focused tool that saves a few minutes of head-scratching.

