feat(lambda): Add LambdaRole class with helper props for common Lambda integrations #8281
Conversation
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| /** | ||
| * Properties for defining a Lambda Role | ||
| */ | ||
| export interface LambdaRoleProps extends Omit<RoleProps, 'assumedBy'> { |
There was a problem hiding this comment.
Unfortunately, jsii doesn't support the Omit type.
The feature set supported in the CDK on public-facing interfaces is restricted by the feature set supported by JSII.
My guess is the Java equivalent interfaces have simply ignored the Omit and in fact, do require the 'assumedBy' property.
I've opened a bug report for this - aws/jsii#1707
There was a problem hiding this comment.
If you want to achieve this, you will need to refactor RoleProps to create a new interface that holds everything in RoleProps except assumedBy and RoleProps would simply extend this.
export interface RoleProps extends RoleOptions {
readonly assumedBy: IPrincipal;
}
export interface RoleOptions {
// the rest of the properties here
}I've used RoleOptions but we might have to use a better name.
There was a problem hiding this comment.
@nija-at will Omit ever be supported by jsii?
I'm fine with doing the refactor, it's just tedious.
There was a problem hiding this comment.
There's no reasonable way to model this in languages outside of typescript (think: Java, C#, Python, etc.), so we don't have any plans to support this.
There was a problem hiding this comment.
Fixed in recent commit
| // We omit the assumedBy property because we know what it is for a Lambda Role | ||
|
|
||
| /** | ||
| * Grants permission to manage elastic network interfaces to |
There was a problem hiding this comment.
Perhaps be transparent and say
| * Grants permission to manage elastic network interfaces to | |
| * Adds the AWS managed policy "AWSLambdaBasicExecutionRole" to this role |
| * | ||
| * @default false | ||
| */ | ||
| readonly dynamoDBExecutionAccess?: boolean; |
There was a problem hiding this comment.
These may be better names here - allowVpcExecution, allowDynamoExecution, allowSqsExecution
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Hey @flemjame-at-amazon -
On discussion with team members, it seems like this is not the correct approach with the CDK.
I apologize for giving you the wrong idea in the first place on which this PR was based. This is my mistake. I am sorry that this has taken up your time.
The correct way to use the CDK is a resource centric approach. This would be to use the various grant APIs to associate the correct permissions with the role.
If the lambda function should have access to a Kinesis stream, then users need to call kinesisStream.grantWrite(lambdaFunction) or with DynamoDB, it will be dynamoTable.grantRead(lambdaFunction).
Let me know if there's a use case that doesn't fit with this model. It's possible that some resources don't have grant APIs but in those cases, they need to be added.
It looks like the way these permissions are handled is with IEventSource: Kinesis: aws-cdk/packages/@aws-cdk/aws-lambda-event-sources/lib/kinesis.ts Lines 28 to 35 in 1cd832b DynamoDB: aws-cdk/packages/@aws-cdk/aws-lambda-event-sources/lib/dynamodb.ts Lines 22 to 33 in 1cd832b SQS: (Nothing for XRay yet) I don't see a similar bit of code for granting Vpc execution permissions. |
|
@nija-at do you have a recommendation for how to implement granting VPC execution permissions? I was thinking a static method |
That is correct. The
Looking at the AWSLambdaVPCAccessExecutionRole managed policy, the actions being granted are For this, you will have to add an instance method |
This implies it is to be used for more than just AWS Lambda -- anyone wanting said permissions would be able to call the function, right? A cursory inspection of the EC2 permissions list shows about 10 permissions that contain "NetworkInterface" -- should this function include them all? If so, that provides Lambda with a much broader array of permission than it needs. If it shouldn't include them all, then it's a function that provides a very specific subset of permissions, and I'm not sure what other use case it would have. |
|
I think we need a little more context on what your actual problem is before you propose the solution. @flemjame-at-amazon, is your issue that when you do the following: new Function(this, 'Function', {
vpc: vpc,
// .. stuff
});That this fails because you also have to grant If that is the case, then can you explain to me why this: const function = new Function(this, 'Function', {
vpc: vpc,
role: role,
// ... stuff ...
});
Vpc.grantCreateDeleteEni(function);Is more desirable than just automatically granting the VPC-bind-permissions on a Lambda when you pass a |
|
@rix0rrr - ignore the code in this PR. We are discussing now a better approach to this, and are in fact, going down the |
|
I updated my comment. But I still feel that implicit permissions would be the more correct route to go. |
@flemjame-at-amazon - Take a look at You would create a method as Does that make sense? Further, should we automatically call the |
Lambda already takes care of that for you, just with managed policies. Would this replace what Lambda currently does? aws-cdk/packages/@aws-cdk/aws-lambda/lib/function.ts Lines 479 to 482 in 1cd832b For a provided Role, we should do nothing, correct? That was the conclusion in another ticket:
@rix0rrr Lambda does this for the Role that is created with the function, but not for a Role that is provided to the function. I am trying to build a solution for the case where the user wants to provide a Role. I initially went down the route you proposed (automatically add permissions), but the conclusion was to not automatically add permissions in the Function class. See #8041 (review) |
Adding the grant methods to the VPC construct is all that's needed now to achieve what you need. |
|
Hey @flemjame-at-amazon - I'm closing this PR given our discussion. Open a separate PR for the grant methods whenever you're ready 😊 |
feat(lambda): Add LambdaRole class with helper props for common Lambda integrations
If I am providing a Role for a Lambda function, it currently isn't given the basic execution permissions, so the function cannot log anything or, in the case of a VPC Lambda, it cannot create the network interfaces. The user has to add those permissions themselves, but it isn't clear from the documentation that that needs to happen.
This commit adds a LambdaRole class, which extends the IAM Role class and which automatically handles Lambda execution permissions. It also exposes additional props which automatically set up Lambda integrations with services like Kinesis, DynamoDB, SQS, and XRay.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license