Skip to content

(lambda): CDK-generated permissions will not work on Lambda invoked with Qualifier= #19273

Closed
@rix0rrr

Description

@rix0rrr
Contributor

What is the problem?

Lambda is changing their authorization strategy.

When you call InvokeFunction(FunctionName='xyz', Qualifier=86):

  • It used to be the case that you would need IAM permissions granted to the unqualified function name:xyz.
  • It is now the case that you need IAM permissions granted to the qualified function name: xyz:86

It always was and still will be the case that when you do InvokeFunction(FunctionName='xyz:86'), you need IAM permissions to invoke xyz:86.


Since we don't always control what the InvokeFunction call looks like, it might just be safest/simplest to grant permissions on ['xyz', 'xyz:*'].

Reproduction Steps

See above

What did you expect to happen?

See above

What actually happened?

Call is rejected

CDK CLI Version

x

Framework Version

No response

Node.js Version

x

OS

x

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

Activity

added
bugThis issue is a bug.
needs-triageThis issue or PR still needs to be triaged.
effort/mediumMedium work item – several days of effort
and removed
needs-triageThis issue or PR still needs to be triaged.
on Mar 7, 2022
kaizencc

kaizencc commented on Mar 31, 2022

@kaizencc
Contributor

This issue is closed by the combination of #19318 and #19464

github-actions

github-actions commented on Mar 31, 2022

@github-actions
Contributor

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

1 remaining item

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Labels

bugThis issue is a bug.effort/mediumMedium work item – several days of effortp1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @rix0rrr@kaizencc@madeline-k

      Issue actions

        (lambda): CDK-generated permissions will not work on Lambda invoked with `Qualifier=` · Issue #19273 · aws/aws-cdk