Aws-cdk: Lambda as target in ALB fails to create due to Principal permission issue
When a Lambda function is registered as a target group in an Application Load Balancer it adds a AWS::Lambda::Permission allowing the Principal: elasticloadbalancing.amazonaws.com to invoke the function.
However, the Target group does not contain a dependency on this permission and due to order of creation might fail if CloudFormation decides to create the TargetGroup before the Lambda permission.
Reproduction Steps
alb = ApplicationLoadBalancer(...)
listener = alb.add_listener("Listener", port=80, open=False)
lambda_function = Function(...)
listener.add_targets(
"Target",
targets=[LambdaTarget(lambda_function)],
priority=1,
)
Error Log
From the CloudFormation console:
API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-west-2:********:function:LambdaFunctionF38095AF-1BKXQUR0FWO9P from target group arn:aws:elasticloadbalancing:us-west-2:***********:targetgroup/LambdaFunction6BJ8GFZ2AFNJ/40d175d269b48dec
Environment
- *CLI Version :1.14.0*
- *Framework Version:1.14.0*
- *OS :N/A*
- *Language :English*
Other
This is :bug: Bug Report
edisongustavo
All 9 comments
I've solved this with:
target_group = listener.add_targets(...)
target_group.node.add_dependency(lambda_function)
Hi @edisongustavo, I'm glad you made it work! I will close this issue for now but feel free to reopen it.
SomayaB
on 25 Oct 2019
Hi @edisongustavo, I'm glad you made it work! I will close this issue for now but feel free to reopen it.
Yes, but I don't think it is "solved". I believe this should be fixed within CDK.
Do you agree?
edisongustavo
on 30 Oct 2019
I also don't have permission to reopen this issue.
edisongustavo
on 30 Oct 2019
Yes, the dependency should be added automatically.
rix0rrr
on 2 Dec 2019
Hi. I'm having the same issue. ..addDependency(..) did not help for me.
1/4 | 4:20:47 PM | CREATE_FAILED | AWS::ElasticLoadBalancingV2::TargetGroup | a-tg-extra (atgextra7ACCDF33) API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-west-2:111111:function:Infra1AlphaBayLamb-lambdaInfra1AlphaBayconc-XXXXXX from target group arn:aws:elasticloadbalancing:us-west-2:111111:targetgroup/a-tg-extra/d7455828732114dd
new TargetGroupBase (/home/harry/Projects/cdktest/alb-extra/infra1-alb-extra/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-target-group.ts:226:21)
\_ new ApplicationTargetGroup (/home/harry/Projects/cdktest/alb-extra/infra1-alb-extra/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-target-group.ts:93:5)
\_ Infra1AlbExtraStack.createExtraTargetGroup (/home/harry/Projects/cdktest/alb-extra/infra1-alb-extra/lib/infra1-alb-extra-stack.ts:269:21)
\_ Infra1AlbExtraStack.init (/home/harry/Projects/cdktest/alb-extra/infra1-alb-extra/lib/infra1-alb-extra-stack.ts:152:23)
\_ new Infra1AlbExtraStack (/home/harry/Projects/cdktest/alb-extra/infra1-alb-extra/lib/infra1-alb-extra-stack.ts:134:10)
- Platform: Typescript
- Version: 1.25.0 (build 5ced526)
realharry
on 23 Feb 2020
We are also seeing an error API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission to invoke.
For us, this happens when we do a cross-account deployment of a stack containing Lambda functions with ALB integration.
Version 1.30.0
markusl
on 19 Mar 2020
Just FYI, in my case, the problem happened when we used an existing lambda while creating an alb stack. the "workaround" for us was, just to create a new lambda every time we create an alb in the same stack.
realharry
on 19 Mar 2020
Hi,
will this be part of 1.38.1 or 1.39.0? Because with 1.38.0 we still experience the issue?
thanks!
ilkomiliev
on 14 May 2020
Related issues
eladb
路
3Comments
peterdeme
路
3Comments
eladb
路
3Comments
artyom-melnikov
路
3Comments
mirazmamun
路
3Comments
Most helpful comment
Hi,
will this be part of 1.38.1 or 1.39.0? Because with 1.38.0 we still experience the issue?
thanks!