Skip to content

(lambda): CDK-generated permissions will not work on Lambda invoked with Qualifier= #19273

New issue
New issue
Closed
Closed
(lambda): CDK-generated permissions will not work on Lambda invoked with Qualifier=#19273
Assignees
kaizenccmadeline-k
Labels
bugThis issue is a bug.effort/mediumMedium work item – several days of effortp1
@rix0rrr

Description

@rix0rrr
rix0rrr
opened on Mar 7, 2022
Contributor

What is the problem?

Lambda is changing their authorization strategy.

When you call InvokeFunction(FunctionName='xyz', Qualifier=86):

  • It used to be the case that you would need IAM permissions granted to the unqualified function name:xyz.
  • It is now the case that you need IAM permissions granted to the qualified function name: xyz:86

It always was and still will be the case that when you do InvokeFunction(FunctionName='xyz:86'), you need IAM permissions to invoke xyz:86.

Since we don't always control what the InvokeFunction call looks like, it might just be safest/simplest to grant permissions on ['xyz', 'xyz:*'].

Reproduction Steps

See above

What did you expect to happen?

See above

What actually happened?

Call is rejected

CDK CLI Version

x

Framework Version

No response

Node.js Version

x

OS

x

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

Activity

rix0rrr
added
bugThis issue is a bug.
needs-triageThis issue or PR still needs to be triaged.
effort/mediumMedium work item – several days of effort
p1
and removed
needs-triageThis issue or PR still needs to be triaged.
on Mar 7, 2022
madeline-k
mentioned this on Mar 9, 2022
rix0rrr
assigned
madeline-k
and
kaizencc
on Mar 14, 2022
kaizencc
mentioned this on Mar 18, 2022
mergify
added a commit that references this issue on Mar 24, 2022

fix(lambda): support Lambda's new `Invoke` with `Qualifier` authoriza…

d06b27f
mergify
added a commit that references this issue on Mar 31, 2022

feat(lambda): warn if you use `function.grantInvoke` while also using…

fd1fff9
kaizencc

kaizencc commented on Mar 31, 2022

@kaizencc
kaizencc
on Mar 31, 2022
Contributor

This issue is closed by the combination of #19318 and #19464

kaizencc
closed this as completedon Mar 31, 2022
github-actions

github-actions commented on Mar 31, 2022

@github-actions
github-actionsbot
on Mar 31, 2022
Contributor

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

StevePotter
added a commit that references this issue on Apr 27, 2022

fix(lambda): support Lambda's new `Invoke` with `Qualifier` authoriza…

3902e35

1 remaining item

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.effort/mediumMedium work item – several days of effortp1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @rix0rrr@kaizencc@madeline-k

      Issue actions
        (lambda): CDK-generated permissions will not work on Lambda invoked with `Qualifier=` · Issue #19273 · aws/aws-cdk