Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[lambda] Grant invoke on imported lambda fails #9883

Closed
tbartley opened this issue Aug 21, 2020 · 1 comment · Fixed by #9957
Closed

[lambda] Grant invoke on imported lambda fails #9883

tbartley opened this issue Aug 21, 2020 · 1 comment · Fixed by #9957
Assignees
@rix0rrr @nija-at
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. p1

Comments

@tbartley
Copy link

tbartley commented Aug 21, 2020
edited
Loading

Imported lambda's can no longer be granted permission to invoke a lambda within a stack.

Reproduction Steps

const localFunction = new Function(this, 'Local', {...})
const foreignRoleArn = Role.fromRoleArn(this, 'ForeignRole', 'foreign-lambda-role-arn')
const foreignFunction = Function.fromFunctionAttributes(this, 'Foreign', {
    functionArn: 'foreign-lambda-arn',
    roleArn: foreignRoleArn
})
localFunction.grantInvoke(foreignFunction)

What did you expect to happen?

In 1.59.0 and earlier it succeeded.

What actually happened?

Since 1.60.0 this now fails with error:

Error: Invalid principal type for Lambda permission statement: Import. Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal.

Environment

  • CLI Version : 1.60.0
  • Framework Version:
  • Node.js Version: 12
  • OS : MacOS
  • Language (Version): Typescript 3.9.7

Other

This is 🐛 Bug Report
@tbartley tbartley added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 21, 2020
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Aug 21, 2020
@tbartley tbartley changed the title [lambda] [lambda] Grant invoke on imported lambda fails Aug 21, 2020
@nija-at nija-at added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 24, 2020
@nija-at
Copy link
Contributor

nija-at commented Aug 24, 2020

Ack that this is a regression introduced in 1.60.0. The bug is coming from here -

aws-cdk/packages/@aws-cdk/aws-lambda/lib/function-base.ts

Line 270 in e893828

public grantInvoke(grantee: iam.IGrantable): iam.Grant {

Previously, the code behaviour was to add lambda:Invoke to the IAM role, but the call is attempting to add a AWS::Lambda::Permission resource by calling addPermission() API.

Ran git bisect between the two versions and the offending commit is - d6278b3.

@skinny85 - can you take a look at this and prepare a fix?

@nija-at nija-at added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 24, 2020
@njlynch njlynch mentioned this issue Aug 25, 2020
Closed
rix0rrr added a commit that referenced this issue Aug 25, 2020
@rix0rrr
fix(lambda): grantInvoke fails for imported IAM identities
2e977fa 
We used to erroneously assume that IAM identities imported into
the same Stack object (imported Roles specifically) would always
belong to the same account as the resources in the stack, and so
try to add `Invoke` permissions to the identity policy, which
would silently fail.

In a recent change, we started recognizing the account of the
Role properly and so now we detect that we must actually ALSO
add permission to the Lambda itself (resource policies).

Unfortunately the Lambda IAM-to-Lambda-Permissions translator had a list
of special recognized classes that did not include imported Roles, and
so this would fail.

Add another case where we try a more generic fallback by parsing
the policy principal. This should catch most simple principals
that Lambda Permissions supports.

Fixes #9883.
@rix0rrr rix0rrr mentioned this issue Aug 25, 2020
Merged
@mergify mergify bot closed this as completed in #9957 Aug 28, 2020
mergify bot pushed a commit that referenced this issue Aug 28, 2020
@rix0rrr
fix(lambda): grantInvoke fails for imported IAM identities (#9957)
d748f44 
We used to erroneously assume that IAM identities imported into
the same Stack object (imported Roles specifically) would always
belong to the same account as the resources in the stack, and so
try to add `Invoke` permissions to the identity policy, which
would silently fail.

In a recent change, we started recognizing the account of the
Role properly and so now we detect that we must actually ALSO
add permission to the Lambda itself (resource policies).

Unfortunately the Lambda IAM-to-Lambda-Permissions translator had a list
of special recognized classes that did not include imported Roles, and
so this would fail.

Add another case where we try a more generic fallback by parsing
the policy principal. This should catch most simple principals
that Lambda Permissions supports.

Fixes #9883.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

@nija-at nija-at

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(lambda): grantInvoke fails for imported IAM identities aws/aws-cdk
3 participants
@rix0rrr @tbartley @nija-at