Skip to content

Commit

Permalink
fix(lambda): add execution permissions to provided IAM roles
Browse files Browse the repository at this point in the history
  • Loading branch information
@flemjame-at-amazon
flemjame-at-amazon committed May 17, 2020
1 parent 0cbc6e1 commit 89d722c
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 1 deletion.
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.defaults.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -683,6 +683,18 @@
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
Expand Down
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-eks-legacy/test/integ.eks-cluster.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -683,6 +683,18 @@
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
Expand Down
24 changes: 24 additions & 0 deletions packages/@aws-cdk/aws-eks-legacy/test/integ.eks-helm.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,30 @@
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
Expand Down
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-eks-legacy/test/integ.eks-kubectl.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -547,6 +547,18 @@
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
Expand Down
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-eks-legacy/test/integ.eks-spot.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,18 @@
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
},
{
"Fn::Join": [
"",
Expand Down
4 changes: 3 additions & 1 deletion packages/@aws-cdk/aws-lambda/lib/function.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -477,8 +477,10 @@ export class Function extends FunctionBase {

this.role = props.role || new iam.Role(this, 'ServiceRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
managedPolicies,
});
for (const policy of managedPolicies) {
this.role.addManagedPolicy(policy);
}
this.grantPrincipal = this.role;

for (const statement of (props.initialPolicy || [])) {
Expand Down
27 changes: 27 additions & 0 deletions packages/@aws-cdk/aws-lambda/test/test.lambda.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,33 @@ export = {
test.done();
},

'default function with provided role gets execution permissions'(test: Test) {
const stack = new cdk.Stack();

const myRole = new iam.Role(stack, 'MyRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});

const myVpc = new ec2.Vpc(stack, 'MyVpc', {});

new lambda.Function(stack, 'MyLambda', {
code: new lambda.InlineCode('foo'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_10_X,
role: myRole,
vpc: myVpc,
});

expect(stack).to(haveResource('AWS::IAM::Role', {
'ManagedPolicyArns': [
// tslint:disable-next-line:max-line-length
{ 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']] },
// tslint:disable-next-line:max-line-length
{ 'Fn::Join': ['', ['arn:', { Ref: 'AWS::Partition' }, ':iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']] },
],
}));
test.done();
},
'adds policy permissions'(test: Test) {
const stack = new cdk.Stack();
new lambda.Function(stack, 'MyLambda', {
Expand Down

0 comments on commit 89d722c

Please sign in to comment.