Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(lambda): grantInvoke errors when only specifying sourceArn condition #20146

Closed
kjpgit opened this issue Apr 29, 2022 · 2 comments · Fixed by #19975
Closed

(lambda): grantInvoke errors when only specifying sourceArn condition #20146

kjpgit opened this issue Apr 29, 2022 · 2 comments · Fixed by #19975
Assignees
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@kjpgit
Copy link

kjpgit commented Apr 29, 2022

Describe the bug

This works in web console, but fails in cdk:

 func.grantInvoke(new iam.ServicePrincipal("apigateway.amazonaws.com").withConditions(
  { "ArnLike": { "aws:SourceArn": "arn:aws:execute-api:us-west-2:111111111111:*" } }
))

Expected Behavior

.

Current Behavior

TypeError: Cannot read properties of undefined (reading 'aws:SourceAccount')

Reproduction Steps

.

Possible Solution

give up on cdk and use web console

Additional Information/Context

No response

CDK CLI Version

2.22.0 (build 1db4b16)

Framework Version

No response

Node.js Version

.

OS

linux

Language

Typescript

Language Version

No response

Other information

No response

@kjpgit kjpgit added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 29, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Apr 29, 2022
@kaizencc
Copy link
Contributor

Hi @kjpgit! This looks like a bug, and an ugly one at that. I will fix this as part of #19975.

@kaizencc kaizencc added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Apr 29, 2022
@kaizencc kaizencc changed the title lambda: can't add simple permissions for apigw (lambda): can't add simple permissions for apigw Apr 29, 2022
@kaizencc kaizencc changed the title (lambda): can't add simple permissions for apigw (lambda): grantInvoke errors when only specifying sourceArn condition Apr 29, 2022
@mergify mergify bot closed this as completed in #19975 Jun 28, 2022
mergify bot pushed a commit that referenced this issue Jun 28, 2022
Closes #19538, also fixes #20146. I combined them because they touch the same surface area and it would be too hairy to separate them out.

See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature.

Introduces functionality to grant permissions to an organization in the following ways:

```ts
declare const  fn = new lambda.Function;

// grant to an organization
fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx');

// grant to an account in an organization
fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx'));
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
…19975)

Closes aws#19538, also fixes aws#20146. I combined them because they touch the same surface area and it would be too hairy to separate them out.

See [lambda docs](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xorginvoke) for this feature.

Introduces functionality to grant permissions to an organization in the following ways:

```ts
declare const  fn = new lambda.Function;

// grant to an organization
fn.grantInvoke(iam.OrganizationPrincipal('o-xxxxxxxxxx');

// grant to an account in an organization
fn.grantInvoke(iam.AccountPrincipal('123456789012').inOrganization('o-xxxxxxxxxx'));
```

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants