[lambda] Circular dependency when trying to add policy to invoke itself
See original GitHub issueReproduction Steps
const myLambda = new lambda.Function(this,'myLambda, {
...
});
const myLambdaInvokePolicyStatement = new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [ 'lambda:InvokeFunction' ],
resources: [ myLambda.functionArn ]
});
myLambda.addToRolePolicy(myLambdaInvokePolicyStatement);
What did you expect to happen?
CDK to be able to add the policy so my lambda can invoke itself.
What actually happened?
CDK is throwing ValidationError.
Stack failed: Error [ValidationError]: Circular dependency between resources: [...]
Environment
- CLI Version : 1.69.0
- Framework Version: 1.69.0
- Node.js Version: v12.17.0
- OS : MacOS 10.15.7
- Language (Version): TypeScript (3.7.2)
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:12 (5 by maintainers)
Top Results From Across the Web
Fix the circular dependency between AWS Lambda ...
I want to fix the circular dependency between an AWS Lambda permission ... To create a .zip file of index.py, run the following...
Read more >Circular dependencies in CDK between lambda and step ...
I have a lambda that needs to execute a step function (in some cases) and the same step function needs to invoke the...
Read more >Avoiding Circular References - Educative.io
Learn how to avoid circular references by setting up a custom IAM policy.
Read more >What is a circular dependency in AWS CloudFormation? - Quora
Explanation: To resolve a dependency error, add a DependsOn attribute to resources that depend on other resources in your template. In some cases,...
Read more >How to work around CloudFormation circular dependencies
In doing so, it introduced a circular dependency between the AppSync API, the Cognito User Pool, the Lambda function and its IAM role....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The problem seems to be that with this dependency CloudFormation needs to create the lambda before the ServiceRole and like always the ServiceRole before the lambda like someone stated before.
We worked around that by introducing an additional policy into this circle:
This works for us. I would guess that CloudFormation can then create it like this: ServiceRole -> Lambda -> Policy -> (Attach Policy to Role)
This is because the lambda permission node adds a
GetAtt
on the lambda function that is yet to be created. So the “Permission” cannot be created until the “Function” is created and the permission cannot be created without the “Function ARN” being available.You can use the following workaround -