Aws-cdk: Lambda: Principal conditions don't get translated to AWS::Lambda::Permissions fields

Created on 21 May 2020  路  4Comments  路  Source: aws/aws-cdk

Trying to great a ServicePrincipal for use in a Function.grantInvoke call.

Want to add conditions so that it is scoped to a particular bucket ala e.g. here https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

I've tried varaitions in conditions for the keys like
arnLike
awsSourceArn

tried using this as reference

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

How is this supposed to work? No examples in docs or elsewhere on interwebs

Reproduction Steps

        const spOptions = {
            conditions:{
                'arn:like':{
                    "aws:SourceArn" : bucketName
                }
            }
        }
        const sp = new ServicePrincipal('s3.amazonaws.com', spOptions)
        console.log('Service Principal', sp.policyFragment)
        this.launcherFunction.grantInvoke(sp)

doing this i see my conditions in the policyFragment output but doesn't generate any conditions in the resulting cloudformation

```
{
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"xxxLauncher5BB90C90",
"Arn"
]
},
"Principal": "s3.amazonaws.com"
},
"Metadata": {
...
}
}
````

Error Log

Environment

  • **CLI Version : aws-cli/2.0.9
  • Framework Version: 1.40.0
  • OS :ubuntu 16.04
  • Language : typescript

Other

This is :bug: Bug Report

@aws-cdaws-iam bug efforsmall p1
Source
picture w-
👍5

Most helpful comment

Any updates on prioritization for this fix? The workaround from @rix0rrr does not appear to work.

picture david-wang-1 on 10 Nov 2020
👍2

All 4 comments

Good point. We support those conditions for IAM policies, but they don't get properly translated to Lambda Permission objects.

For the time being, I'd recommend you use launcherFunction.addPermission() instead.

rix0rrr picture rix0rrr on 27 May 2020
👍1

I am seeing the same thing, but while using the launcherFunction.addPermission() that @rix0rrr recommended.

My code:

const servicePrincipal = new ServicePrincipal('apigateway.amazonaws.com', {
  conditions: {
    ArnEquals: {
      'aws:SourceArn': `arn:aws:execute-api:${this.region}:${this.account}:${proxy.restApiId}/*/*`,
    }
  }
});

lambda.addPermission('test', {
  principal: servicePrincipal,
});

Resulting cloudformation output:

{
  "testlambdafunctiontest3C0029AA": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "testlambdafunction82C8D643",
            "Arn"
          ]
        },
        "Principal": "apigateway.amazonaws.com"
      },
      "Metadata": {
        "aws:cdk:path": "stack-name/test-lambda-function/test"
      }
    }
  }
}

CLI Version : aws-cli/1.16.256
Framework Version: 1.44.0
OS : Darwin/19.2.0
Language : typescript

rbingham picture rbingham on 10 Jun 2020

Any updates on prioritization for this fix? The workaround from @rix0rrr does not appear to work.

david-wang-1 picture david-wang-1 on 10 Nov 2020
👍2

I experienced the same problem. Additionally using PrincipalWithConditions seems no to be supported as principal in Lambda permission:
Invalid principal type for Lambda permission statement: PrincipalWithConditions. Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal

ScDavid picture ScDavid on 8 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

slipdexic picture slipdexic  路  3Comments
sudoforge picture sudoforge  路  3Comments
kawamoto picture kawamoto  路  3Comments
artyom-melnikov picture artyom-melnikov  路  3Comments
EduardTheThird picture EduardTheThird  路  3Comments