-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to add an SQS event source to a Lambda function with imported role #2381
Unable to add an SQS event source to a Lambda function with imported role #2381
Comments
I've tested this in
|
Confirming this is a regression. Minimal repro (v0.32.0): const queue = new sqs.Queue(this, 'q');
const role = iam.Role.fromRoleArn(this, 'r', 'arn:aws:iam::585695036304:role/ReproRole2381');
queue.grantConsumeMessages(role); I think we have a few issues here:
|
Thanks for confirming this is a regression @eladb. My current workaround is to comment out step where I’m attaching a lambda function to trigger on an sqs event, and then manually hook them up in aws console. Not ideal, but I’m hoping this can get fixed in the future. Especially since we’re going to end up with more than dozen of queues and triggers in our processing pipeline. Again, thanks again for confirming. |
You're right, it shouldn't be. The permissions should be added to the resource policy if the principal is in another account, and only then. I guess the API is still a little wonky, which makes this mistake too easy to make. My apologies, my understanding of IAM is progressing as this project progresses :) Actually, @shivlaks used 2 different terms recently which are a lot more illuminating to think about (than "policy" or "permission"), that I wonder whether we should use more widely:
I'm thinking we might need to do something similar to what we do for outbound security groups (where the default is "allow all outbound traffic", but that can be disabled for fine-grained configuration):
|
@rix0rrr No worries at all. Thanks for providing detailed insight in what's going on. Much appreciated. |
I imagine the error might be caused because the IAM permission SQS can and will validate the queue policy, but it does not see and so cannot validate the IAM policy. So actually Just surmising here. |
Batch permissions are automatically implied when given regular API call permissions. For example, giving IAM permissions to `sqs:SendMessage` gives permission to call both `SendMessage` and `SendMessageBatch`. Fixes #2381.
Batch permissions are automatically implied when given regular API call permissions. For example, giving IAM permissions to `sqs:SendMessage` gives permission to call both `SendMessage` and `SendMessageBatch`. Fixes #2381.
Describe the bug
I'm unable to connect Lambda function to an SQS event source. Using
0.28.0
and0.29.0
I'm getting an error message:Value sqs:ChangeMessageVisibilityBatch for parameter ActionName is invalid. Reason: Please refer to the appropriate WSDL for a list of valid actions.
. Due to security limitations we have to provide our own pre-created lambda role. Using0.27.0
everything is working as expected (w/ imported role). It seems that this might be a regression bug introduced in0.28.0
.To Reproduce
Here is the stack code:
And here is the policy that's attached to
lambda-processing-role
.If I run
cdk deploy
command using0.27.0
everything is working as expected. However, when I use0.28.0
and0.29.0
with the imported lambda role this is what I'm getting back:Expected behavior
I should be able to attach Lambda function to SQS events.
Version:
The text was updated successfully, but these errors were encountered: