-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-lambda: Function.grantInvoke() not applying permissions for older versions of lambda function #32455
Comments
sample project based on cdk init |
Hey @michaellasmanis, There definitely is a difference between granting invoke to a role vs a service. The former is applied directly to the function's policy document, and the latter is applied via a // GIVEN
const stack = new cdk.Stack();
const role = new iam.Role(stack, 'Role', {
assumedBy: new iam.AccountPrincipal('1234'),
});
const service = new iam.ServicePrincipal('apigateway.amazonaws.com');
const fn = new lambda.Function(stack, 'Function', {
code: lambda.Code.fromInline('xxx'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_LATEST,
});
// WHEN
fn.grantInvoke(role);
fn.grantInvoke(service);
// THEN
expect(fn.resourceArnsForGrantInvoke).toEqual([fn.functionArn, `${fn.functionArn}:*`]);
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Action: 'lambda:InvokeFunction',
Effect: 'Allow',
Resource: [
{ 'Fn::GetAtt': ['Function76856677', 'Arn'] },
{ 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':*']] },
],
},
],
},
});
// There is only a single Permission resource
Template.fromStack(stack).resourceCountIs('AWS::Lambda::Permission', 1);
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
Action: 'lambda:InvokeFunction',
FunctionName: { 'Fn::GetAtt': ['Function76856677', 'Arn'] },
Principal: 'apigateway.amazonaws.com',
}); It seems like you should be able to qualify |
Thanks for the clarification, that makes sense. However, there is then definitely a documentation error at least in the javadocs:
The example code from the javadocs is basically what I copied and pasted into my test case. Basically, I'm trying to work around issue #28412. I'll check out CfnPermission.FunctionName to see if it can work for me. Any other suggestions are highly appreciated. |
I think there's an issue with the current implementation of the internal const fn = new lambda.Function(stack, 'Function', {
code: lambda.Code.fromInline('xxx'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_LATEST,
});
const service = new iam.ServicePrincipal('apigateway.amazonaws.com');
fn.grantInvoke(service);
fn.grantInvokeLatestVersion(service);
fn.grantInvokeVersion(service, fn.latestVersion); All 3 grants generate effectively the same policy: [
"FunctionInvokeFcyXBRX02EWa52GlFECQiCzDt0fdRUDi4mo4foC5aU730270F4": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"Function76856677",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com"
}
},
"FunctionInvokeKTHGXOMcvOrpWFkuCdKIjgLLIicmjeE3TRCaRos63A32ADB": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"Function76856677",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com"
}
},
"FunctionCurrentVersion4E2B2261ecf75ed18d6b6a0a5635c08929baf432": {
"Type": "AWS::Lambda::Version",
"Properties": {
"FunctionName": {
"Ref": "Function76856677"
}
}
},
"FunctionInvokewPiaqpkwMJl8Ed9zUwcfGrfRum0xC0KM1xqhfffIXlo2E3F6599": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"Function76856677",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com"
}
}
}
] |
I agree, I would expect fn.grantInvokeVersion(service, fn.latestVersion) to create a qualified permission. I just tested with an explicitly created version and it had the same effect (ie, all 3 permissions the same):
yielded:
also fn.grantInvokeVersion(service, fn.currentVersion)(should reference version qualified arn) behaves the same as fn.grantInvokeVersion(service, fn.latestVersion)(should reference $LATEST arn) which seems to not agree with the docs here:
|
I did a little more digging, and it seems the issue arises here: aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts Lines 575 to 584 in 59e96a3
The IAM aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts Lines 373 to 382 in 59e96a3
I imagine we might run into some issues if we attempt to generate multiple |
After looking at CfnPermission.FunctionName more closely, I agree. The validation rule for it will only accept a single ARN that is either unqualified or fully qualified (ie version or alias) but not a wildcard. So without explicitly creating a ChnPermission for each existing version/alias, I don't think there is any way to resolve my original issue. However, I do think that the following two items should be addressed:
Michael |
@michaellasmanis , thanks for reporting this issue and your analysis reg the code execution. I agree with @michaellasmanis that the corresponding documentation should clarify or be updated with the actual behavior- https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_lambda-readme.html#grant-function-access-to-aws-services in all supported languages(Typescript/java/python etc.) EDIT: As a workaround is mentioned (here), marking this as P2 which means it would not be immediately looked upon by the team but would be on their radar. Thanks. |
Describe the bug
when using Function.grantInvoke(), permission for function:Invoke is applied to the unqualified function arn but not to any of the older versions.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
Per the documentation here: https://docs.aws.amazon.com/cdk/api/v2/java/software/amazon/awscdk/services/lambda/package-summary.html#resource-based-policies-heading
and the GitHub PR here: #19318
I would expect that both the unqualified [FunctionArn] and [Function.Arn].* to have the permissions applied.
Current Behavior
Invoke permission only seem to be applied to the unqualified function arn.
cdk synth produces the following snippet:
which just enabled the unqualified ARN
Reproduction Steps
if you have a stack containing such:
you will notice after the second (or subsequent) deploy that the permissions from the non-$LATEST versions are removed as part of the cdk deploy.
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.172.0
Framework Version
bootstrap version 25
Node.js Version
v23.3.0
OS
macOS
Language
Java
Language Version
java 17
Other information
No response
The text was updated successfully, but these errors were encountered: