-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-lambda): support PrincipalOrgId
on lambda permissions to allow function access to an AWS organization
#19538
Comments
Unfortunately the permissions we can express for Lambda functions are limited to the properties available on Do you know how to express this condition in those properties? If not, this is probably not supported by Lambda. |
That's strange, the article you linked even links to the page mentioning the AWS Organizations condition and this announcement says the organization ID can be passed to CloudFormation: https://aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-principalorgid-resource-policies/ This announcement is only from March 11th, though, so maybe it's possible that the documentation for |
Looks like there is a |
PrincipalOrgId
on lambda permissions to allow function access to an AWS organization
Closes #19538, also fixes #20146. I combined them because they touch the same surface area and it would be too hairy to separate them out. See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature. Introduces functionality to grant permissions to an organization in the following ways: ```ts declare const fn = new lambda.Function; // grant to an organization fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx'); // grant to an account in an organization fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx')); ``` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…19975) Closes aws#19538, also fixes aws#20146. I combined them because they touch the same surface area and it would be too hairy to separate them out. See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature. Introduces functionality to grant permissions to an organization in the following ways: ```ts declare const fn = new lambda.Function; // grant to an organization fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx'); // grant to an account in an organization fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx')); ``` ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
What is the problem?
The
.addPermission()
and.grantInvoke()
functions do not allow adding an AWS Organizations ID for resource-based policies. This is a feature in the AWS CLI, as seen here in the docs. I get an error when I try to add an organizations ID as a condition.Reproduction Steps
Let
orgFunction
be anyFunction
, thenWhat did you expect to happen?
Expected the CDK synthesis to be successful
What actually happened?
CDK CLI Version
Don't use the CDK CLI
Framework Version
1.149.0
Node.js Version
14.x
OS
Amazon Linux 2 x86_64
Language
Typescript
Language Version
Typescript (3.9.10)
Other information
grantInvoke
callsaddPermission
which callsparsePermissionPrincipal
andparseConditions
.parsePermissionsPrincipal
should allow anOrganizationPrincipal
andparseConditions
should allow the principal condition{ operator: 'StringEquals', key: 'aws:PrincipalOrgID' }
to conform to theAddPermission
functionality presented here, linked earlier.The text was updated successfully, but these errors were encountered: