Aws-cdk: Permission resource is not created for imported lambda function
Resource Policy is not being created for Lambda when using Lambda version but is being created when using new Lambda.
Reproduction Steps:
Create a new lambda function and publish a new version for it.
Create a new resource policy for the created lambda version.
Example shows creating new resource policy for api gateway to invoke weatherFunction lambda version 13
_lambda.Version.from_version_attributes(self, id='stageVersion',lambda_=weatherFunction,version='13').add_permission(id='invokeweatherfnversion13',principal=iam.ServicePrincipal(service='apigateway.amazonaws.com'),
action='lambda:InvokeFunction',source_arn=api.arn_for_execute_api(stage='dev', method='GET',path='/')
)
Error Log
No error message
Environment
- **CLI Version : 1.34.1
- **Framework Version: 1.34.1
- **OS : Mac Mojave 10.14.6
- **Language :Python
Other
This is :bug: Bug Report
durja
All 9 comments
this might be related, cdk fails to create a AWS::Lambda::Permission resource for an imported lambda function (but does generate it for in-the-stack lambdas):
Steps to reproduce:
const importedLambda = lambda.Function.fromFunctionArn(
stack,'shared lambda authorizer', 'some external arn'
)
const jwtAuthorizer = new apigateway.TokenAuthorizer(stack, 'api-authorizer', {
handler: importedLambda,
authorizerName: 'api-authorizer',
})
importedLambda.addPermission('api gateway allow', {
principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
sourceArn: jwtAuthorizer.authorizerArn
}) // this does NOT create AWS::Lambda::Permission
I expect something like this to be created:
somePermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName:
Fn::GetAtt:
- importedLambda
- Arn
Principal: apigateway.amazonaws.com
SourceArn:
Fn::Join:
- ""
- - "arn:"
- Ref: AWS::Partition
- ":execute-api:<region>:<account>:"
- Ref: APIGWSTAGE
- /authorizers/
- Ref: jwtAuthorizer
So is it possible (and how) and how to allow external lambdas (from other stacks) to be invoked by the custom authorizer? GrantInvoke probably also doesn't work...
- tested with 1.37.0 and 1.38.0, TypeScript..
mbsimonovic
on 12 May 2020
@durja - Please provide more details on your bug report. It's not clear what steps are needed to reproduce this? Which parts of the steps are performed in the CDK and which ones outside?
It would great if you can provide code samples.
nija-at
on 20 May 2020
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 28 May 2020
@nija-at i just gave you one example, import a lambda from another stack, then call addPermission on that lambda, I expect to see a AWS::Lambda::Permission in the current stack.
mbsimonovic
on 28 May 2020
The method addPermission is:
public addPermission(id: string, permission: Permission) {
if (!this.canCreatePermissions) {
// FIXME: Report metadata
return;
}
And property canCreatePermissions has this comment:
/**
* Whether the addPermission() call adds any permissions
*
* True for new Lambdas, false for imported Lambdas (they might live in different accounts).
*/
protected abstract readonly canCreatePermissions: boolean;
So this behaviour is by design. It's not an issue.
nbenaglia
on 28 May 2020
Thanks for looking into the code @nbenaglia. It's not clear why we have set this value to false for imported versions. As far as I can tell, we should be able to set this to true.
nija-at
on 29 May 2020
Is there any way to get around this? Setting can_create_permissions to True doesn't seem to be changing anything.
SKIIDK
on 5 Jun 2020
@SKIIDK - canCreatePermissions is a protected member of the class. You cannot control it from outside the class.
Work around is to create a CfnPermission class like so - https://github.com/aws/aws-cdk/blob/6407535863c06d6d3ccfc2c3f2b59470d2d88993/packages/%40aws-cdk/aws-lambda/lib/function-base.ts#L212-L219
nija-at
on 8 Jun 2020
@SKIIDK -
canCreatePermissionsis a protected member of the class. You cannot control it from outside the class.Work around is to create a
CfnPermissionclass like so -
With @Hugodby we found a detailed work around using this template, with apigateway and lambda authorizers
// parameters
const authorizerFunctionArn = new cdk.CfnParameter(this, "authorizerFunctionArn", {
type: "String",
default: "arn:aws:lambda:eu-west-1:XXXXXXXXX:XXXXXXXXX",
description: "ARN of the LambdaAuthorizer"},
);
// authorizer lambda
const authFunction = lambda.Function.fromFunctionArn(this,
"lambda-authorizer",
authorizerFunctionArn.valueAsString,
)
// api gateway
const TestApi = new apigateway.RestApi(this, 'TestApi', {
restApiName: 'TestService'
});
new lambda.CfnPermission(this, id+"test01", {
action: "lambda:InvokeFunction",
principal: 'apigateway.amazonaws.com',
functionName: authorizerFunctionArn.valueAsString,
sourceArn: cdk.Arn.format(
{
service: "execute-api",
resource: TestApi.restApiId,
resourceName: "authorizers/*",
},
this,
),
});
A-Hilaly
on 11 Aug 2020
Related issues
eladb
路
3Comments
abelmokadem
路
3Comments
kawamoto
路
3Comments
NukaCody
路
3Comments
pepastach
路
3Comments
Most helpful comment
@SKIIDK -
canCreatePermissionsis a protected member of the class. You cannot control it from outside the class.Work around is to create a
CfnPermissionclass like so - https://github.com/aws/aws-cdk/blob/6407535863c06d6d3ccfc2c3f2b59470d2d88993/packages/%40aws-cdk/aws-lambda/lib/function-base.ts#L212-L219