Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lambda: Incorrect account used for S3 event source mapping #21628

Closed
Timidger opened this issue Aug 16, 2022 · 3 comments
Closed

Lambda: Incorrect account used for S3 event source mapping #21628

Timidger opened this issue Aug 16, 2022 · 3 comments
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@Timidger
Copy link

Describe the bug

When adding an S3 bucket as an event source to a lambda the account for the bucket is sourced from the stack not from the bucket configuration.

Expected Behavior

We have a stack intending to deploy, amongst other things, a Lambda to account "A"

We reference a Bucket (which lives in account "B") using fromBucketAttributes in the same stack and specified account "B" as the account attribute (see reproduction steps). When hooking it up to the Lambda using addEventSource we expect that it will generate IAM configuration specifying account "B" as part of the conditional grant.

Expected output from CDK:

├───┼───────────────────────────────────┼────────┼───────────────────────┼───────────────────────────────────┼───────────────────────────────────┤
│ + │ ${my-stack                        │ Allow  │ lambda:InvokeFunction │ Service:s3.amazonaws.com          │ "ArnLike": {                      │
│   │                                   │        │                       │                                   │   "AWS:SourceArn": "arn:aws-cn:s3 │
│   │                                   │        │                       │                                   │ :::the-bucket"                    │
│   │                                   │        │                       │                                   │ },                                │
│   │                                   │        │                       │                                   │ "StringEquals": {                 │
│   │                                   │        │                       │                                   │   "AWS:SourceAccount": "<ACCT B>" │
│   │                                   │        │                       │                                   │                                   │
│   │                                   │        │                       │                                   │ }                                 │
└───┴───────────────────────────────────┴────────┴───────────────────────┴───────────────────────────────────┴───────────────────────────────────┘

Current Behavior

Account "A" is defined as the "source account" which is incorrect. The Bucket lives in account "B" and was only referenced in the stack whose resources get deployed to "A".

Actual output from CDK:

├───┼───────────────────────────────────┼────────┼───────────────────────┼───────────────────────────────────┼───────────────────────────────────┤
│ + │ ${my-stack                        │ Allow  │ lambda:InvokeFunction │ Service:s3.amazonaws.com          │ "ArnLike": {                      │
│   │                                   │        │                       │                                   │   "AWS:SourceArn": "arn:aws-cn:s3 │
│   │                                   │        │                       │                                   │ :::the-bucket"                    │
│   │                                   │        │                       │                                   │ },                                │
│   │                                   │        │                       │                                   │ "StringEquals": {                 │
│   │                                   │        │                       │                                   │   "AWS:SourceAccount": "<ACCT A>" │
│   │                                   │        │                       │                                   │                                   │
│   │                                   │        │                       │                                   │ }                                 │
└───┴───────────────────────────────────┴────────┴───────────────────────┴───────────────────────────────────┴───────────────────────────────────┘

Reproduction Steps

import { DeploymentStack, DeploymentStackProps } from "@amzn/pipelines";
import { Code, Function, Runtime } from 'aws-cdk-lib/aws-lambda';
import { S3EventSource } from "aws-cdk-lib/aws-lambda-event-sources";
import { Bucket, EventType } from "aws-cdk-lib/aws-s3";
import { Construct } from "constructs";

export class BuggyStack extends DeploymentStack {
    constructor(scope: Construct, id: string, props: DeploymentStackProps) {
        super(scope, id, props);
        let accountB = '123456789';

        const foreignBucket =
            Bucket.fromBucketAttributes(this, 'ImportedBucket', {
                bucketArn: 'arn:aws:s3:::some-bucket-not-in-this-account',
                // The account the bucket really lives in
                account: accountB
            });

        let myLambda = new Function(this, 'my-function', {
            runtime: Runtime.PYTHON_3_9,
            code: Code.fromInline('print("hello world")'),
            handler: 'whatever'
        });

        // This will generate the incorrect IAM bindings
        myLambda.addEventSource(new S3EventSource(foreignBucket as Bucket,
            { events: [ EventType.OBJECT_CREATED ] }));
    }
}

Possible Solution

To me, the most correct solution involves sourcing the bucket account from the bucket configuration itself. Since it's possible to specify the bucket account ID it's surprising when that isn't used when generating the IAM permissions.

I found a very bad workaround in the meantime in case anyone else is running into this:

type Writeable<T> = { -readonly [ P in keyof T ]: T[ P ] };
let stack: Writeable<Stack> = Stack.of(myBucket);
let accountA = stack.account;
stack.account = accountB;
myLambda.addEventSource(new S3EventSource(myBucket, { events: myEvents }));
stack.account = accountA;

Additional Information/Context

No response

CDK CLI Version

2.29.0 (build 47d7ec4)

Framework Version

No response

Node.js Version

v14.19.3

OS

Amazon Linux 2

Language

Typescript

Language Version

No response

Other information

No response

@Timidger Timidger added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 16, 2022
@github-actions github-actions bot added the @aws-cdk/aws-s3 Related to Amazon S3 label Aug 16, 2022
@Timidger Timidger changed the title (module name): (short issue description) Lambda: Incorrect account used for S3 event source mapping Aug 16, 2022
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Aug 16, 2022
@otaviomacedo otaviomacedo added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 18, 2022
@peterwoodworth peterwoodworth added p1 and removed p2 @aws-cdk/aws-s3 Related to Amazon S3 labels May 19, 2023
mergify bot pushed a commit that referenced this issue Mar 6, 2024
### Issue # (if applicable)
#21628

initial PR was closed for naming issues: #29023

Closes #<issue number here>.
1

### Reason for this change
A Customers has a stack intending to deploy with alongside a Lambda to account "A"

A Bucket (in account "B") was referenced using fromBucketAttributes in the same stack and specified account "B" as the account attribute. When hooked to Lambda using addEventSource, it was expected that the IAM configuration generated will specify account "B" as part of the conditional grant.

However, Account "A" is defined as the "source account" which is incorrect. The Bucket lives in account "B" and was only referenced in the stack whose resources get deployed to "A".

Today S3 bucket is added as an event source to lambda, the account for the bucket is sourced from the stack not from the bucket configuration.


CDK fails to reference customer's bucket account rather is results to using the stack account which might not necessary be the bucket account.

### Description of changes




### Description of how you validated changes

1. Extensive testing was conducted by creating an application and validating the generated templates
2. Unit test was also added to test the new change

```
aws-cdk-lib % yarn test aws-lambda-event-sources 
yarn run v1.22.19
$ jest aws-lambda-event-sources
 PASS  aws-lambda-event-sources/test/sns.test.ts (56.025 s)
 PASS  aws-lambda-event-sources/test/s3.test.ts (56.097 s)
 PASS  aws-lambda-event-sources/test/api.test.ts (56.436 s)
 PASS  aws-lambda-event-sources/test/kinesis.test.ts (56.558 s)
 PASS  aws-lambda-event-sources/test/dynamo.test.ts (57.016 s)
 PASS  aws-lambda-event-sources/test/sqs.test.ts (56.816 s)
 PASS  aws-lambda-event-sources/test/kafka.test.ts (57.452 s)
A worker process has failed to exit gracefully and has been force exited. This is likely caused by tests leaking due to improper teardown. Try running with --detectOpenHandles to find leaks. Active timers can also cause this, ensure that .unref() was called on them.

```



### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)


*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@jonife
Copy link
Contributor

jonife commented Mar 18, 2024

Does issue persist @Timidger

@scorbiere
Copy link
Contributor

I cannot reproduce the issue, I am closing it. Please open with a clear repro steps if you are still facing this issue.

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Development

No branches or pull requests

6 participants