Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-s3): supply custom role when adding bucket notifications

See original GitHub issue

Hello Team. I am working on a customer engagement , which is attempting to leverage cdk to help deploy a series of Lambda functions . One of behaviors that we noticed, when we added an S3 event source to a lamda cdk definition, it auto generates BucketNotificationsHandler IAM role and policy . Our customer has a unique corporate policy that prevents the role used to deploy the application stack from changing/creating any IAM resources. Any insight in how we can suppress the auto creation of the following role when the cdk is synthesized. Below is the code snippet we are using to initialize our lambda function . Your assistance is greatly appreciate , and let me know if you need additional details .

lambda_.Function(
           self,
           "TestLambda",
           runtime=lambda_.Runtime.PYTHON_3_8,
           code=lambda_.Code.from_asset(
               "code_dir"
           ),
           handler="index.lambda_handler",
           timeout=core.Duration.seconds(30),
           events=[
               lambda_event_sources.S3EventSource(
                   bucket=input_bucket,
                   events=[s3.EventType.OBJECT_CREATED],
               )
           ],
           role=iam.Role.from_role_arn(
               self,
               id="Testlambda",
               role_arn= “role_arn”,
               mutable = False,
           ),
       )

This exact same situation happens with EKS cluster . In which a cluster creator role and IAM role is created . Due to our unique corporate policy we need to suppress the auto creation of roles in CDK .

Reproduction Steps

Create a Lamda function in cdk with the following event specified .

events=[
               lambda_event_sources.S3EventSource(
                   bucket=input_bucket,
                   events=[s3.EventType.OBJECT_CREATED],
               )

What did you expect to happen?

If a role is defined and provided as input to a module, another role would not be created by cdk .

Stop the auto creation of IAM role and policies .

What actually happened?

The roles are still created even though a role is provided in the input .

Environment

**CDK CLI Version 😗*1.88
Framework Version:
Node.js Version:
**OS 😗*MacOS
Language (Version): Python 3.8.2

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

pchaganticommented, Jul 6, 2022

Anything on this? Ability to control the role used by the noitificationshandler is quite important in locked down enterprise environments.

0reactions

github-actions[bot]commented, Jun 28, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.