-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@aws-cdk/integ-tests-alpha: (Integ-test's does not have the proper role permission) #27865
Comments
The other workaround that I have tried is to leverage the api_call.provider.add_to_role_policy, hoping to add policies to the singletonFunction so support the invocation of lambda function. After checking the resources created by the stack, it seems that the added policy was not properly added to the singletonFunction's execution role. Rather, it was added to some other singletonFunctions that are not in charge of invoking the function-of-interest. So there might also be a mismatch issue between the provider and the one that is actually triggering the function. |
I think at least Are you able to provide a minimal sample that we can reproduce in our account? |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Hi, @pahud , lambda_invocation = integ.assertions.invoke_function(
function_name=stack_to_be_tested.lambda_function.function_name,
invocation_type=InvocationType.EVENT,
payload=json.dumps({
"days":1
})
).expect(
ExpectedResult.object_like(
{
"execution_arn": Match.string_like_regexp("arn:aws:states:us-.*")
}
)
).wait_for_assertions(
interval=Duration.seconds(10),
total_timeout=Duration.minutes(90)
) Here |
An example that integ_test fails to add the role policy to the assertion provider: |
In the singletonFunction, I kept seeing the following message:
and when I go into the role that is attached to this lambda function, the in-line policy is defined as follows: {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:Invoke"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"states:DescribeExecution"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
} Apparently, for lambda-related IAM actions, there is no such action as "Invoke", so it has to be a typo. Ref: https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html The other question for this inline-policy is that the added role_policy was not reflected, so there are primarily 2 issues here. Hope that these details will help you reproduce the issue. |
### Description The following issue describes a bug where the IAM Policy is not correctly set to the calling Lambda when using `invokeFunction` and `waitForAssertions`. Normally, when the `waitForAssertions` method is invoked, the necessary Policy is granted to the `waiterProvider` using the `adPolicyStatementFromSdkCall` method. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L136 In the case of a Lambda function call, the API name and the Action name of the Policy are different (invoke => invokeFunction), so the `addPolicyStatementFromSdkCall` method cannot grant the correct Policy. The `LambdaInvokeFunction` is doing the correct Policy assignment to deal with this in the constructor. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L247 However, this is not done for the `waiterProvider`, resulting in an access denied error. This PR has been modified so that the correct Policy is granted to `waiterProvider`. fixes #27865 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
### Description The following issue describes a bug where the IAM Policy is not correctly set to the calling Lambda when using `invokeFunction` and `waitForAssertions`. Normally, when the `waitForAssertions` method is invoked, the necessary Policy is granted to the `waiterProvider` using the `adPolicyStatementFromSdkCall` method. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L136 In the case of a Lambda function call, the API name and the Action name of the Policy are different (invoke => invokeFunction), so the `addPolicyStatementFromSdkCall` method cannot grant the correct Policy. The `LambdaInvokeFunction` is doing the correct Policy assignment to deal with this in the constructor. https://github.com/aws/aws-cdk/blob/52a5579aa52c88bb289a7a9677c35385763c8fff/packages/%40aws-cdk/integ-tests-alpha/lib/assertions/sdk.ts#L247 However, this is not done for the `waiterProvider`, resulting in an access denied error. This PR has been modified so that the correct Policy is granted to `waiterProvider`. fixes aws#27865 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Hi @pahud , I dont think this issue was fully addressed by the most recent PR #28424 . In the latest version 2.118.0, although the wait provider was granted the correct permission, the actual singleton function that is in charge of invoking the function-to-be-tested is still not granted the "Lambda:invokeFunction " action. You can try to reproduce the issue by following the exact same process that is mentioned earlier in this issue report. |
Describe the bug
@aws-cdk/integ-tests-alpha module
https://docs.aws.amazon.com/cdk/api/v2/docs/integ-tests-alpha-readme.html
During the deployment, there are several lambda function and execution role are auto-generated by CDK.
Stack ARN in case helps for troubleshooting:
arn:aws:cloudformation:us-west-2:673604154507:stack/IntegTestdevDefaultTestDeployAssert31A9C52F/5746bdf0-7d00-11ee-9e23-06a38c3b8f8b
Inside the state machine, we can see the error
However, checking the auto-generated lambda execution role,one of the role
IntegTestdevDefaultTestDe-SingletonFunction76b3e830-QIh9L3ag1iz4
has the permission "lambda:Invoke", but there is no "lambda:InvokeFunction" permission, another roleIntegTestdevDefaultTestDe-SingletonFunction1488541a-PkTEiGn4sLHb
has both "lambda:Invoke" and "lambda:InvokeFunction" permission automatically generatedExpected Behavior
inside AWS console, the below action is an invalid action, and console will throw validation error, may I know if this is a bug in CDK that auto-generate "lambda:Invoke" in action rather than "lambda:InvokeFunction"?
Current Behavior
We tried to use escape hatch to down to the L2/L1 construct to override the role permission, however, the L1 construct of Role is
CfnResource
notCfnRole
, which is also a bit different from other construct likelaws-lambda
as I can getCfnRole
and can be used byadd_property_override
example of
aws_lambda
construct:printout with
CfnRole
as the constructHowever, for
@aws-cdk/integ-tests-alpha module
, I can only getCfnResource
construct (see attachment) and cannot useadd_property_override
to change the policyReproduction Steps
Question1: may I know how does the code intergated in the backend to choose which IAM Role to make the invokefunction action inside statemachine ? and how can we customised this IAM role please?
Question2: inside AWS console, the below action is an invalid action, and console will throw validation error, may I know if this is a bug in CDK that auto-generate "lambda:Invoke" in action rather than "lambda:InvokeFunction"?
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.104.0
Framework Version
No response
Node.js Version
n/a
OS
mac
Language
Python
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: