Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[aws-ec2] Cannot get VPC from ID for Lambda deploy, results in multiple builds
See original GitHub issue❓ General Issue
I have a Lambda function deploying and I am trying to attach it to a VPC.
I am migrating from Serverless Framework (SLS) to CDK. With SLS I specified a security group ID and a subnet ID, but it looks like CDK requires a VPC ID specified as well.
However although I could deploy the Lambda function successfully though the same user, with CDK it tells me I don’t have permissions:
const vpcLambdaDB = cdkEC2.Vpc.fromLookup(this, 'vpcLambdaDB', {
vpcId: 'vpc-13851b74',
});
[Error at /my-stack] You are not authorized to perform this operation.
It doesn’t tell me what permissions I need, so I tried adding DescribeVpcs as it was the only one that appeared relevant, however this did not work. I would rather not add any extra permissions at all, since this worked with SLS so I know these permissions allow me to deploy a Lambda into a VPC. Is there a way to have it just accept the VPC ID I am supplying without requiring special permissions to look it up? Or is there a way to forget the VPC and just supply the security group ID and subnet ID as I did with SLS? The docs say these are ignored if VPC is not supplied in the CDK Lambda function’s options.
Also, since I added the above Vpc.fromLookup() call, my Lambda functions get built two, sometimes three times over:
Bundling asset my-stack/my-lambda/Code/Stage...
../../../asset-output/my-lambda.js 965.2 KB 356ms
Bundling asset my-stack/my-lambda/Code/Stage...
../../../asset-output/my-lambda.js 965.2 KB 363ms
This happens even if I don’t specify the VPC on the Lambda function - just having the lookup command and discarding the response causes multiple builds. This only seems to have happened since upgrading to CDK 1.73.0. When I was using 1.71.0 it was only being built once, but I upgraded to see if the VPC request would work without changing permissions and now everything is being built multiple times. If I comment out the Vpc.fromLookup() then things go back to being built only once.
Environment
- CDK CLI Version: 1.73.0 (build eb6f3a9)
- Module Version: 1.73.0
- Node.js Version: v14.13.0
- OS: Arch Linux
- Language (Version): NodeJS
(as this is technically a support question if you would like me to open an AWS Support case and post the number here let me know and I will do so, if that would help)
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I’m afraid I can’t remember exactly but I thought the error message told me. I think they were EC2 permissions, either DescribeVpc* or possibly DescribeRouteTables.
I hit the same issue (tested only with CDK
1.23.0 (build 01f326e)) and using AWS CloudTrail, I found the API calls made by the method and so the3required permissions:DescribeVpnGatewaysDescribeSubnetsDescribeRouteTablesAWS IAM Policy Simulator can then be used to check if those permissions are allowed or denied.