Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(lambda): document adding execution permissions to provided IAM roles #8041

Merged

Conversation

flemjame-at-amazon
Copy link
Contributor

@flemjame-at-amazon flemjame-at-amazon commented May 17, 2020

Commit Message

docs(lambda): document adding execution permissions to provided IAM roles

If I am providing a Role for a Lambda function, it currently isn't given the basic execution permissions, so the function cannot log anything or, in the case of a VPC Lambda, it cannot create the network interfaces. The user has to add those permissions themselves, but it isn't clear from the documentation that that needs to happen.

This commit adds documentation showing CDK users how to add the required permissions for execution.

End Commit Message


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 89d722c
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 37f410e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, this is the correct behaviour of this construct. There are users of this library who want to have full control over the permissions of their role. The property role is provided to satisfy this.

What is the exact use case you are trying to achieve here?

@flemjame-at-amazon
Copy link
Contributor Author

What is the exact use case you are trying to achieve here?

This doesn't unlock any new use cases -- this was intended to make Lambda creation foolproof.

There are users of this library who want to have full control over the permissions of their role. The property role is provided to satisfy this.

I get the full control portion. However, without the basic execution role, or equivalent permissions, Lambda does not work correctly (cannot log output). In a VPC, the Lambda does not even initialize without the EC2 permissions. Is this the desired outcome for users who want full control?

At the very least, it should be clearly documented that those permissions must be added yourself when providing your own role. I've hit that issue, as have co-workers, which was the impetus for this PR.

@flemjame-at-amazon flemjame-at-amazon force-pushed the lambda-provided-execution-role-policy branch from 37f410e to c6c8a8c Compare May 20, 2020 18:25
@flemjame-at-amazon flemjame-at-amazon changed the title fix(lambda): add execution permissions to provided IAM roles docs(lambda): document adding execution permissions to provided IAM roles May 20, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: c6c8a8c
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 1d7f416
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@nija-at
Copy link
Contributor

nija-at commented May 21, 2020

I get the full control portion. However, without the basic execution role, or equivalent permissions, Lambda does not work correctly (cannot log output). In a VPC, the Lambda does not even initialize without the EC2 permissions. Is this the desired outcome for users who want full control?

How about a LambdaRole class that extends iam.Role which comes with the basic permissions? Does that provide a good starting point for customers with this use case?

Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Me love some good clean documentation and writing. Some minor adjustments called out below.

Let me know if you think it's a good idea and would like to pursue the LambdaRole option in this PR.

packages/@aws-cdk/aws-lambda/README.md Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-lambda/README.md Outdated Show resolved Hide resolved
flemjame-at-amazon and others added 2 commits May 21, 2020 11:20
Co-authored-by: Niranjan Jayakar <nija@amazon.com>
Co-authored-by: Niranjan Jayakar <nija@amazon.com>
@mergify mergify bot dismissed nija-at’s stale review May 21, 2020 15:21

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: abcb09d
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: d187187
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: ba8f521
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@flemjame-at-amazon
Copy link
Contributor Author

Nice! Me love some good clean documentation and writing. Some minor adjustments called out below.

Let me know if you think it's a good idea and would like to pursue the LambdaRole option in this PR.

I like the idea -- it's just a Role with the "assumedBy" always being Lambda.

Once concern I have is I'd prefer not to create a class like "LambdaRoleProps" because I worry about keeping it's features in sync with regular RoleProps. Do you have any ideas as to how to achieve this?

@nija-at
Copy link
Contributor

nija-at commented May 22, 2020

because I worry about keeping it's features in sync with regular RoleProps

What if LambdaRoleProps extended RoleProps? Would that work?

@mergify
Copy link
Contributor

mergify bot commented May 22, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 45a3a1c
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented May 22, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@flemjame-at-amazon flemjame-at-amazon deleted the lambda-provided-execution-role-policy branch September 2, 2020 18:00
@flemjame-at-amazon flemjame-at-amazon restored the lambda-provided-execution-role-policy branch September 2, 2020 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants