-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lambda: Incorrect account used for S3 event source mapping #21628
Labels
@aws-cdk/aws-lambda
Related to AWS Lambda
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p1
Comments
Timidger
added
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
labels
Aug 16, 2022
Timidger
changed the title
(module name): (short issue description)
Lambda: Incorrect account used for S3 event source mapping
Aug 16, 2022
otaviomacedo
added
p2
effort/small
Small work item – less than a day of effort
and removed
needs-triage
This issue or PR still needs to be triaged.
labels
Nov 18, 2022
This was referenced Feb 7, 2024
1 task
mergify bot
pushed a commit
that referenced
this issue
Mar 6, 2024
### Issue # (if applicable) #21628 initial PR was closed for naming issues: #29023 Closes #<issue number here>. 1 ### Reason for this change A Customers has a stack intending to deploy with alongside a Lambda to account "A" A Bucket (in account "B") was referenced using fromBucketAttributes in the same stack and specified account "B" as the account attribute. When hooked to Lambda using addEventSource, it was expected that the IAM configuration generated will specify account "B" as part of the conditional grant. However, Account "A" is defined as the "source account" which is incorrect. The Bucket lives in account "B" and was only referenced in the stack whose resources get deployed to "A". Today S3 bucket is added as an event source to lambda, the account for the bucket is sourced from the stack not from the bucket configuration. CDK fails to reference customer's bucket account rather is results to using the stack account which might not necessary be the bucket account. ### Description of changes ### Description of how you validated changes 1. Extensive testing was conducted by creating an application and validating the generated templates 2. Unit test was also added to test the new change ``` aws-cdk-lib % yarn test aws-lambda-event-sources yarn run v1.22.19 $ jest aws-lambda-event-sources PASS aws-lambda-event-sources/test/sns.test.ts (56.025 s) PASS aws-lambda-event-sources/test/s3.test.ts (56.097 s) PASS aws-lambda-event-sources/test/api.test.ts (56.436 s) PASS aws-lambda-event-sources/test/kinesis.test.ts (56.558 s) PASS aws-lambda-event-sources/test/dynamo.test.ts (57.016 s) PASS aws-lambda-event-sources/test/sqs.test.ts (56.816 s) PASS aws-lambda-event-sources/test/kafka.test.ts (57.452 s) A worker process has failed to exit gracefully and has been force exited. This is likely caused by tests leaking due to improper teardown. Try running with --detectOpenHandles to find leaks. Active timers can also cause this, ensure that .unref() was called on them. ``` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Does issue persist @Timidger |
I cannot reproduce the issue, I am closing it. Please open with a clear repro steps if you are still facing this issue. |
Comments on closed issues and PRs are hard for our team to see. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
@aws-cdk/aws-lambda
Related to AWS Lambda
bug
This issue is a bug.
effort/small
Small work item – less than a day of effort
p1
Describe the bug
When adding an S3 bucket as an event source to a lambda the account for the bucket is sourced from the stack not from the bucket configuration.
Expected Behavior
We have a stack intending to deploy, amongst other things, a Lambda to account "A"
We reference a
Bucket
(which lives in account "B") usingfromBucketAttributes
in the same stack and specified account "B" as theaccount
attribute (see reproduction steps). When hooking it up to the Lambda usingaddEventSource
we expect that it will generate IAM configuration specifying account "B" as part of the conditional grant.Expected output from CDK:
Current Behavior
Account "A" is defined as the "source account" which is incorrect. The Bucket lives in account "B" and was only referenced in the stack whose resources get deployed to "A".
Actual output from CDK:
Reproduction Steps
Possible Solution
To me, the most correct solution involves sourcing the bucket account from the bucket configuration itself. Since it's possible to specify the bucket account ID it's surprising when that isn't used when generating the IAM permissions.
I found a very bad workaround in the meantime in case anyone else is running into this:
Additional Information/Context
No response
CDK CLI Version
2.29.0 (build 47d7ec4)
Framework Version
No response
Node.js Version
v14.19.3
OS
Amazon Linux 2
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: