feat(lambda): add grantInvokeLatestVersion to grant invoke only to latest function version #29856
Conversation
github-actions
bot
added
repeat-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
roger-zhangg
changed the title
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-maintainer-review
There was a problem hiding this comment.
A cleaner way to implement this feature would be to extend the current implementation of grantInvoke and to add a onlyGrantLatestVersion parameter with a default value. Using a Props object is also preferable for future extensibility:
interface GrantInvokeProps {
onlyGrantLatestVersion?: boolean;
}
grantInvoke(grantee: iam.IGrantable, { onlyGrantLatestVersion = false }: GrantInvokeProps = {}): iam.Grant;This would not cause a breaking change, given existing calls to grantInvoke would remain correct and unchanged.
EDIT: Sorry, I didn't notice you proposed the same solution at the end of your PR comment. I would definitely favor it
roger-zhangg
force-pushed
the
grant_invoke_v2
branch
from
46dba87
to
fc612e3
Compare
| const hash = createHash('sha256') | ||
| .update(JSON.stringify({ | ||
| principal: grantee.grantPrincipal.toString(), | ||
| conditions: grantee.grantPrincipal.policyFragment.conditions, | ||
| onlyGrantLatestVersion: props.onlyGrantLatestVersion, |
There was a problem hiding this comment.
Switching between grantInvoke(grantee) and grantInvoke(grantee, { onlyGrantLatestVersion: false }) would cause an unnecessary hash change
| onlyGrantLatestVersion: props.onlyGrantLatestVersion, | |
| onlyGrantLatestVersion: props.onlyGrantLatestVersion ?? false, |
| @@ -201,6 +201,15 @@ You can also restrict permissions given to AWS services by providing | |||
| a source account or ARN (representing the account and identifier of the resource | |||
| that accesses the function or layer). | |||
|
|
|||
| **Important**: By default `fn.grantInvoke()` grants permission to the principal to invoke any version of the function, including all past ones. If you only want the principal to invoke the latest version, use `grantInvoke(grantee, { onlyGrantLatestVersion:true })`. | |||
There was a problem hiding this comment.
| **Important**: By default `fn.grantInvoke()` grants permission to the principal to invoke any version of the function, including all past ones. If you only want the principal to invoke the latest version, use `grantInvoke(grantee, { onlyGrantLatestVersion:true })`. | |
| **Important**: By default `fn.grantInvoke()` grants permission to the principal to invoke any version of the function, including all past ones. If you only want the principal to be granted permission to invoke the latest version, use `grantInvoke(grantee, { onlyGrantLatestVersion: true })`. |
You can also use a Markdown quote to increase the visibility, e.g. this note
> By default...
There was a problem hiding this comment.
Could you add unit tests with imported Lambda functions as well? I am especially anticipating issues with the following:
lambda.Function.fromFunctionArn(
stack,
'unqualified',
'arn:aws:lambda:us-east-1:123456789012:function:my-function'
);
lambda.Function.fromFunctionArn(
stack,
'v1',
'arn:aws:lambda:us-east-1:123456789012:function:my-function:1'
);
lambda.Function.fromFunctionArn(
stack,
'latest',
'arn:aws:lambda:us-east-1:123456789012:function:my-function:$LATEST'
);If you onlyGrantLatestVersion for the first example, I would assume it would actually only grant the ARN version, which might not actually be the latest version
There was a problem hiding this comment.
Thanks for the hint, and this is interesting. For the current design onlyGrantLatestVersion will grant permission to this.functionArn. While the previous design without onlyGrantLatestVersion grants to [this.functionArn, ${this.functionArn}:*]. I would assume if this.functionArn is something like arn:aws:lambda:us-east-1:123456789012:function:my-function:1 the previous method won't work either. I'll update once I checked this out.
There was a problem hiding this comment.
Update: I tried out fromFunctionArn and seems CDK doesn't allow calling grantInvoke on a imported Lambda function
sample code
const func2 = lambda.Function.fromFunctionArn(
this,
'v1',
'arn:aws:lambda:us-east-1:123456789012:function:my-function:1'
);
const lambdaRole = new iam.Role(this, 'LambdaRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
func2.grantInvoke(lambdaRole);error
/local/home/ruojiazh/proj/aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts:563
throw new Error('Cannot modify permission to lambda function. Function is either imported or $LATEST version.\n'
^
Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version.
If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.
If the function is imported from a different account and already has the correct permissions use `fromFunctionAttributes()` API with the `skipPermissions` flag.
Using the suggested method fromFunctionAttributes
const func2 = lambda.Function.fromFunctionAttributes(this, 'Function', {
functionArn: 'arn:aws:lambda:us-east-1:123456789012:function:my-function:1',
sameEnvironment: true,
});
const lambdaRole = new iam.Role(this, 'LambdaRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
func2.grantInvoke(lambdaRole);output
PolicyDocument:
Statement:
- Action: lambda:InvokeFunction
Effect: Allow
Resource:
- arn:aws:lambda:us-east-1:123456789012:function:my-function:1
- arn:aws:lambda:us-east-1:123456789012:function:my-function:1:*
Version: "2012-10-17"
You can see the output here is actually wrong, However because it still have allow on arn:aws:lambda:us-east-1:123456789012:function:my-function:1, this will allow the principle to invoke the given version. I assume CDK doesn't expect you to passin the function arn with a version in fromFunctionAttributes and CDK also didn't (or unable to) check if this ARN is valid or not. If we follow this design, we can also assume the Arn passed in shouldn't have a version.
| grant = this.grant(grantee, identifier, 'lambda:InvokeFunction', this.resourceArnsForGrantInvoke); | ||
| let resouceArns = this.resourceArnsForGrantInvoke; | ||
| if (props.onlyGrantLatestVersion) { | ||
| resouceArns = [this.functionArn]; |
There was a problem hiding this comment.
Is functionArn always fully qualified? If it is, what happens if functionArn points to a specific version, e.g. my-function:1, but other versions were published since? You are no longer granting the latest version, just "a" version
See the comment on the unit tests file below
There was a problem hiding this comment.
Refer to the comment above, the previous design doesn't expect a functionArn with version
There was a problem hiding this comment.
The integration feels a bit lackluster here, we're only testing that the policy is synthetically correct, not that the grants work as expected
Adding integration assertions to check that the functions are invokable with the provided examples would be ideal, either with AwsApiCalls, or by adding an API Gateway to integrate the Lambdas and running HttpApiCalls
There was a problem hiding this comment.
I do agree only testing synthetically is kind of wired, but doing AwsApiCalls seems to be testing against Lambda/IAM rather than testing CDK. So I just followed the previous test behavior
| /** | ||
| * Controls whether to grant invoke access to all function versions. Defaults to `false`. | ||
| * - When set to `false`, both the function and functions with specific versions can be invoked. | ||
| * - When set to `true`, only the function without a specific version (`$Latest`) can be invoked. |
There was a problem hiding this comment.
Is this accurate? I would imagine that at least functionname:$LATEST would be invokable, and probably even functionname:3, if 3 was the latest published version
There was a problem hiding this comment.
Thanks for catching this, I think you are right👍
| @@ -95,12 +95,12 @@ export interface IFunction extends IResource, ec2.IConnectable, iam.IGrantable { | |||
| /** | |||
| * Grant the given identity permissions to invoke this Lambda | |||
| */ | |||
| grantInvoke(identity: iam.IGrantable): iam.Grant; | |||
| grantInvoke(grantee: iam.IGrantable, props?: GrantInvokeProps): iam.Grant; | |||
There was a problem hiding this comment.
Seems like we add the props to the existing grantInvoke method which differs from the description of this PR. Are we not creating as new helper method grantInvokeV2 with the props without touching the existing method?
We provides a new function fn.grantInvokeV2() with a flag grantVersionAccess to controls whether to grant access to all function versions. Defaults to false.
There was a problem hiding this comment.
If this is the propsed solution in updating the existing method grantInvoke with optional props, can we also update the PR description and update in the original issue?
There was a problem hiding this comment.
updating the existing parameter name identity would it cause a breaking change?
There was a problem hiding this comment.
I'm also confused on this part, this interface uses identity as param, however the implementation uses grantee. I'm not sure if we should just keep it as is or should we change one to match the other?
| public grantInvoke(identity: iam.IGrantable): iam.Grant { | ||
| return this.lambda.grantInvoke(identity); | ||
| public grantInvoke(identity: iam.IGrantable, props?: lambda.GrantInvokeProps): iam.Grant { | ||
| return this.lambda.grantInvoke(identity, props); |
There was a problem hiding this comment.
nit: do we need to update the identity parameter to grantee as defined in the lambda grantInvoke method?
| @@ -17,6 +17,10 @@ fn.grantInvoke(new iam.AnyPrincipal().inOrganization('o-yyyyyyyyyy')); | |||
|
|
|||
| fn.grantInvoke(new iam.OrganizationPrincipal('o-xxxxxxxxxx')); | |||
|
|
|||
| fn.grantInvoke(new iam.AnyPrincipal().inOrganization('o-yyyyyyyyyy2'), { onlyGrantLatestVersion: true }); | |||
There was a problem hiding this comment.
Can we able to assert that onlyGrantLatestVersion: true grants only to the specific latest version and other versions should get an error on invocation?
There was a problem hiding this comment.
Hi @godwingrs22 I'm looking into this but could you give me a headup on how to write integ test on this? I think I need to assume to the role I created here. But I didn't find how can I assume role in integration test. I checked invokeFucntion here and invokefunctionprop here but nothing related to assume role is found.
There was a problem hiding this comment.
I had a inspiration on this from my teammate:
Setting up integration test
I can setup 2 lambda function - fn1, fn2. And a role in the integ-test.
fn1 should have multiple versions, and grants invoke lastest version to role
fn2 uses this role, and the handler of fn2 will invoke fn1 with the given version then return the result
running the integration test
In the integration test, we will only invoke fn2 by integ.assertions.invokeFunction(fn2, version). In this way we will know if the role attached to fn2 can invoke fn1 or not. That is:
When
fn1.grantInvokeLatestVersion(role)
Then
integ.assertions.invokeFunction(fn2, '$LATEST') should success
integ.assertions.invokeFunction(fn2, 1) should fail
When
fn1.grantInvokeVersion(role, 1)
Then
integ.assertions.invokeFunction(fn2, '$LATEST') should fail
integ.assertions.invokeFunction(fn2, 1) should success
What do you think?
There was a problem hiding this comment.
Yes this should work. However let me get a second review within my team and get back to you on this integ test handling.
There was a problem hiding this comment.
@roger-zhangg , Seems the current integ test framework is designed for handling success cases. Hence we can write a success case and perform assertion if the right permission is set. This should be good enough to cover the integ test.
Examples:
|
|
Hi @godwingrs22 thanks for the review, I can see your point. For the naming, If we name the new function like |
|
Hi @godwingrs22 , could you please help to take a look when available, Thanks! |
|
😴 |
|
Hi @roger-zhangg , Apologies for the delay. I'll review within this week. |
There was a problem hiding this comment.
@roger-zhangg Apologies for the delay in response. Thank you for making the changes. I've few followup comments left.
| if (!grant) { | ||
| let resouceArns = [`${this.functionArn}:${version.version}`]; | ||
| if (version == this.latestVersion) { | ||
| resouceArns = [this.functionArn, `${this.functionArn}:$LATEST`]; |
There was a problem hiding this comment.
Correct me if i'm wrong. If it is a latest version, we are adding both specific version and $latest version function arns. In that case, can we do like this?
if (check for latest version) {
resouceArns.push(`${this.functionArn}:$LATEST`);
}
There was a problem hiding this comment.
I think you mean resouceArns.push(this.functionArn); Cause we need to enable the customer to invoke through unquantified Function Arn and through Arn:$LATEST
| Effect: 'Allow', | ||
| Resource: [ | ||
| { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, | ||
| { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':$LATEST']] }, |
There was a problem hiding this comment.
We would be able to call the latest lambda by also specfying the version right? In that case, can we assert for the role contains specific latest version also along with $LATEST?
There was a problem hiding this comment.
I think this is not the goal. Imagine if we have a version 33, and it's currently the latest version. If we add a allow for Arn:33 here. And then after customer publishes Version 34, the allow on Arn:33 is still there. This violates our goal for only allow invoking on latest version
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week. |
|
Will resolve comments this week |
mergify
bot
dismissed
godwingrs22’s stale review
Pull request has been modified.
aws-cdk-automation
added
the
pr/needs-maintainer-review
| if (!grant) { | ||
| let resouceArns = [`${this.functionArn}:${version.version}`]; | ||
| if (version == this.latestVersion) { | ||
| resouceArns = [this.functionArn, `${this.functionArn}:$LATEST`]; |
There was a problem hiding this comment.
I think you mean resouceArns.push(this.functionArn); Cause we need to enable the customer to invoke through unquantified Function Arn and through Arn:$LATEST
| Effect: 'Allow', | ||
| Resource: [ | ||
| { 'Fn::GetAtt': ['Function76856677', 'Arn'] }, | ||
| { 'Fn::Join': ['', [{ 'Fn::GetAtt': ['Function76856677', 'Arn'] }, ':$LATEST']] }, |
There was a problem hiding this comment.
I think this is not the goal. Imagine if we have a version 33, and it's currently the latest version. If we add a allow for Arn:33 here. And then after customer publishes Version 34, the allow on Arn:33 is still there. This violates our goal for only allow invoking on latest version
|
Hi @godwingrs22 , could you help with a final review? Thanks |
There was a problem hiding this comment.
LGTM. Thanks @roger-zhangg for your effort in implementing this feature.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Issue # (if applicable)
Closes #20177
Reason for this change
fn.grantInvoke()will grant invoke permission to invoke both the latest version and all pervious version of the lambda function. We can see this behavior could bring some security concern for some of our customers.Description of changes
We provides a new function
fn.grantInvokeLatestVersion()to grant invoke only to the Latest version of function and the unqualified lambda arnExample:
Description of how you validated changes
Added unit tests and integration tests.
When using
fn.grantInvokeLatestVersion()granted principle to invoke a function's past version, it will get the following error:Alternative design (to discuss)
setup a
grantInvokePropincludinggrantVersionAccessflag to pass in thegrantInvokeLatestVersioninstead usinggrantVersionAccessflag directly ongrantInvokeLatestVersion-> This is discussed in the comments, I agree having props will have future extensibility but usually for grant methods specifically we haven't seen before. So we will not add prop to the new function
grantInvokeLatestVersionChecklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license