Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(aws-s3-notifications): How to add event notification to existing bucket using existing role?
See original GitHub issue❓ General Issue
How to add event notification to existing bucket using existing role?
I would like to add a S3 event notification to an existing bucket that triggers a lambda. As describe here, this process will create a BucketNotificationsHandler lambda. However, I am not allowed to create this lambda, since I do not have the permissions to create a role for it:
<me> is not authorized to
perform: iam:CreateRole on resource: arn:aws:iam::<account>:role/<prefix>-BucketNotificationsHandler...
Is there a way to work around this? I am not in control of the full AWS stack, so I cannot simply give myself the appropriate permission. I am allowed to pass an existing role.
Here’s a slimmed down version of the code I am using:
project_iam_role = aws_iam.Role.from_role_arn(
self,
id="myrole",
role_arn="arn:aws:iam::<account>:role/<myrole>",
mutable=False,
)
bucket = aws_s3.Bucket.from_bucket_name(
self, id="bucket", bucket_name="mybucket"
)
trigger_function = aws_lambda.Function(...)
bucket.add_event_notification(
aws_s3.EventType.OBJECT_CREATED,
aws_s3_notifications.LambdaDestination(trigger_function),
)
(Partial) output of cdk diff:
[+] AWS::IAM::Role BucketNotificationsHandler.../Role BucketNotificationsHandler050....
[+] AWS::IAM::Policy BucketNotificationsHandler.../Role/DefaultPolicy BucketNotificationsHandler050...RoleDefaultPolicy....
[+] AWS::Lambda::Function BucketNotificationsHandler....BucketNotificationsHandler...
Final error:
9:19:26 AM | CREATE_FAILED | AWS::IAM::Role | BucketNotification...
API: iam:CreateRole User: arn:aws:sts::<account>:assumed-role/<myrole>/<my-email> is not authorized to
perform: iam:CreateRole on resource: arn:aws:iam::<account>:<myyrole>/....BucketNotificationsHandl-...
Environment
- CDK CLI Version: 1.117.0
- Module Version: 1.119.0
- Node.js Version: v16.6.2
- OS: macOS Big Sur
- Language (Version): Python 3.8
Other information
related isssues:
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I am also dealing with this issue. I don’t have rights to create a user role so any attempt to run CDK calling .addEventNotification() fails. Interestingly, I am able to manually create the event notification in the console., so that must do the operation without creating a new role. It’s not clear to me why there is a difference in behavior.
Closing because this seems wrapped up. Ping me if you have any other questions