Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-lambda): support PrincipalOrgId on lambda permissions to allow function access to an AWS organization #19538

Closed
yashaslokesh opened this issue Mar 24, 2022 · 4 comments · Fixed by #19975
Assignees
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1

Comments

@yashaslokesh
Copy link

yashaslokesh commented Mar 24, 2022

What is the problem?

The .addPermission() and .grantInvoke() functions do not allow adding an AWS Organizations ID for resource-based policies. This is a feature in the AWS CLI, as seen here in the docs. I get an error when I try to add an organizations ID as a condition.

Reproduction Steps

Let orgFunction be any Function, then

const permission = new iam.AnyPrincipal()
    .withConditions({
        StringEquals: {
            'aws:PrincipalOrgID': config.organizations.orgId[props.stage]
        }
    });

orgFunction.grantInvoke(permission);

What did you expect to happen?

Expected the CDK synthesis to be successful

What actually happened?

Error: PrincipalWithConditions had unsupported conditions for Lambda permission statement: [{"operator":"StringEquals","key":"aws:PrincipalOrgID"}]. Supported operator/condition pairs: [{"operator":"ArnLike","key":"aws:SourceArn"},{"operator":"StringEquals","key":"aws:SourceAccount"}]

CDK CLI Version

Don't use the CDK CLI

Framework Version

1.149.0

Node.js Version

14.x

OS

Amazon Linux 2 x86_64

Language

Typescript

Language Version

Typescript (3.9.10)

Other information

grantInvoke calls addPermission which calls parsePermissionPrincipal and parseConditions.

parsePermissionsPrincipal should allow an
OrganizationPrincipal and parseConditions should allow the principal condition { operator: 'StringEquals', key: 'aws:PrincipalOrgID' } to conform to the AddPermission functionality presented here, linked earlier.

@yashaslokesh yashaslokesh added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 24, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Mar 24, 2022
@ryparker ryparker added the p1 label Mar 25, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Mar 30, 2022

Unfortunately the permissions we can express for Lambda functions are limited to the properties available on AWS::Lambda::Permission: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

Do you know how to express this condition in those properties? If not, this is probably not supported by Lambda.

@rix0rrr rix0rrr added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 30, 2022
@yashaslokesh
Copy link
Author

That's strange, the article you linked even links to the page mentioning the AWS Organizations condition and this announcement says the organization ID can be passed to CloudFormation: https://aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-principalorgid-resource-policies/

This announcement is only from March 11th, though, so maybe it's possible that the documentation for AWS::Lambda::Permission hasn't been updated, yet. The CLI docs have been updated. This issue can't move forward until CFN updates their documentation, then

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Mar 31, 2022
@kaizencc
Copy link
Contributor

kaizencc commented Apr 4, 2022

Looks like there is a PrincipalOrgId property in the docs now, which makes me think this is doable.

@kaizencc kaizencc added feature-request A feature should be added or improved. effort/small Small work item – less than a day of effort and removed bug This issue is a bug. labels Apr 4, 2022
@kaizencc kaizencc changed the title (aws-lambda): addPermission should allow adding an AWS organization condition (aws-lambda): support PrincipalOrgId on lambda permissions to allow function access to an AWS organization Apr 4, 2022
@kaizencc kaizencc removed the needs-triage This issue or PR still needs to be triaged. label Apr 4, 2022
@mergify mergify bot closed this as completed in #19975 Jun 28, 2022
mergify bot pushed a commit that referenced this issue Jun 28, 2022
Closes #19538, also fixes #20146. I combined them because they touch the same surface area and it would be too hairy to separate them out.

See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature.

Introduces functionality to grant permissions to an organization in the following ways:

```ts
declare const  fn = new lambda.Function;

// grant to an organization
fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx');

// grant to an account in an organization
fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx'));
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
…19975)

Closes aws#19538, also fixes aws#20146. I combined them because they touch the same surface area and it would be too hairy to separate them out.

See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature.

Introduces functionality to grant permissions to an organization in the following ways:

```ts
declare const  fn = new lambda.Function;

// grant to an organization
fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx');

// grant to an account in an organization
fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx'));
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants