Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lambda policy size exceeds limit when used with multiple RestApi methods #5774

Closed
AmitBaranes opened this issue Jan 13, 2020 · 9 comments
Closed

lambda policy size exceeds limit when used with multiple RestApi methods #5774

AmitBaranes opened this issue Jan 13, 2020 · 9 comments
Assignees
@nija-at
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved.

Comments

@AmitBaranes
Copy link

short description:

Override Lambda Permission manually when creating a new API Gateway method.

Use Case

Recently I faced this issue when pointing multiple API Gateways methods to specific lambda :

The final policy size (XXX) is bigger than the limit (20480)

The feature allows users to bypass automatic permission creation (sort of "manual mode") to avoid this limitation.

I noticed that when using LambdaIntegration class the bind function adds permissions automatically to the lambda function based on the method URL.

My workaround was overriding the bind function with my own class ( see this post - https://stackoverflow.com/questions/59713522/cdk-override-bind-when-using-lambdaintegration?noredirect=1#comment105588249_59713522) and implement my own logic.

This feature can give more flexibility to the end-user and could give more control about the lambda permissions.

This is a 🚀 Feature Request
@AmitBaranes AmitBaranes added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jan 13, 2020
@SomayaB SomayaB added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Jan 13, 2020
@nija-at nija-at changed the title Add Permissions to lambda manually lambda policy size exceeds limit when used with multiple RestApi methods Feb 5, 2020
@nija-at nija-at added effort/large Large work item – several weeks of effort and removed needs-triage This issue or PR still needs to be triaged. labels Feb 5, 2020
@nija-at
Copy link
Contributor

nija-at commented Feb 5, 2020

@AmitBaranes -

I've re-purposed the issue title to define what the issue. While your suggestion to fix this does make it more flexible, it wouldn't be the right customer experience for a CDK user.

Looking to understand this a little more -

Could you provide the number of APIGateway methods that use the same lambda function? It would be useful if you can also get the generated policy from the CloudFormation template and put it on the issue.

Do you know which of these limits - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html - are you specifically encountering?

@nija-at nija-at added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed effort/large Large work item – several weeks of effort labels Feb 5, 2020
@SomayaB SomayaB added closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. closing-soon This issue will automatically close in 4 days unless further comments are made. labels Feb 17, 2020
@SomayaB SomayaB added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Feb 24, 2020
@SomayaB
Copy link
Contributor

SomayaB commented Mar 4, 2020

Closing this issue since there hasn't been a response in a while. Feel free to reopen.

@SomayaB SomayaB closed this as completed Mar 4, 2020
@rehanvdm
Copy link

rehanvdm commented Apr 6, 2020
edited

@nija-at "it wouldn't be the right customer experience for a CDK user." Why do you think this? Also it is the resource based policy which has limit of 2,048.

The problem is that LambdaIntegration calls the lambda function addPermission everytime for a new Method. The policy gets filled up quite quickly and then the stack fails stating that the policy size is too big. The solution is to create a variation of the LambdaIntegration class that does the binding but does not add a individual method policy for each API method but rather just give the whole API (any resource + method) access to the Lambda.

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration
{
    constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
        super(handler, options);
    }

    bind(method: apigateway.Method)
    {
        this['scope'] = method;
    }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });

@andrew-terekhov
Copy link

@rehanvdm Is it possible to make the same trick with this['scope'] = method in python?

@AmitBaranes
Copy link
Author

AmitBaranes commented Jun 18, 2020
edited

@andrew-terekhov I guess there is, you need to override the parent function. I'm not familiar with how to do that in python. but, I'm sure there is a way.

@andrew-terekhov
Copy link

@AmitBaranes Thank you for the response!
I've tried to do it in python but discovered that scope is a private attribute of AwsIntegration in TypeScript, so I can't access this attribute in python. I've tried to override bind method but I should call the parent method that adds permissions anyway.

@phrastnik phrastnik mentioned this issue Jul 29, 2020
Open
@Iku-turso
Copy link

I'm getting burned by this as well :/

@rehanvdm
Copy link

@nija-at "it wouldn't be the right customer experience for a CDK user." Why do you think this? Also it is the resource based policy which has limit of 2,048.

The problem is that LambdaIntegration calls the lambda function addPermission everytime for a new Method. The policy gets filled up quite quickly and then the stack fails stating that the policy size is too big. The solution is to create a variation of the LambdaIntegration class that does the binding but does not add a individual method policy for each API method but rather just give the whole API (any resource + method) access to the Lambda.

import lambda = require('@aws-cdk/aws-lambda');
import apigateway = require('@aws-cdk/aws-apigateway');

class LambdaIntegrationNoPermission extends apigateway.LambdaIntegration
{
    constructor(handler: lambda.IFunction, options?: apigateway.LambdaIntegrationOptions) {
        super(handler, options);
    }

    bind(method: apigateway.Method)
    {
        this['scope'] = method;
    }
}

const api = new apigateway.RestApi(this, id+"-api", {
            restApiName: id,
            deployOptions: { stageName: buildPros.Environment },
            defaultCorsPreflightOptions: {
                allowOrigins: apigateway.Cors.ALL_ORIGINS,
                allowMethods: apigateway.Cors.ALL_METHODS,
                allowHeaders: ["*"]
            },
            defaultIntegration: new LambdaIntegrationNoPermission(apiLambda, {proxy: true}),
        });

.... Add many methods and resources here ....

/* Manually add the permission, specifying with the API function arnForExecuteApi empty params means for all methods, paths and stages    */
apiLambda.addPermission(id + "ApiGWPermissions", {
           action: 'lambda:InvokeFunction',
           principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
           sourceArn: api.arnForExecuteApi()
       });

Does not work anymore since the Method signature changed, refer to the newly opened ticket addressing this and the new solution here: #9327 (comment)

@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
@sabornibhattacharya
Copy link

I have published a serverlessland pattern that can be used as a workaround meanwhile -

https://serverlessland.com/patterns/apigw-lambda-wildcard-resourcebasedpolicy-cdk

The solution replaces all other would-be created policy for each new integration with a wildcard resource-based policy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nija-at nija-at

Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@Iku-turso @nija-at @rehanvdm @SomayaB @andrew-terekhov @AmitBaranes @sabornibhattacharya