(lambda): cross account lambda resolvers can not be created
See original GitHub issueWhat is the problem?
Can not create cross account lambda function resolver for an appsync api. It tries to add a permission to lambda but can not. Worked in CDKv1 but not in CDKv2.
Reproduction Steps
import { aws_lambda, Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as appsync from '@aws-cdk/aws-appsync-alpha';
export class GraphqlbugStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const api = new appsync.GraphqlApi(this, 'Api', {
name: 'demo',
});
const myLambda = aws_lambda.Function.fromFunctionArn(this, "function", "arn:aws:lambda:eu-west-1:111222333444:function:MyLambda")
const demoDS = api.addLambdaDataSource("lambdaDataSource", myLambda)
demoDS.createResolver({
typeName: 'Query',
fieldName: 'getDemos',
});
}
}
Then run cdk synth
What did you expect to happen?
Generates a cloudformation template.
What actually happened?
/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212
throw new Error('Cannot modify permission to lambda function. Function is either imported or $LATEST version. '
^
Error: Cannot modify permission to lambda function. Function is either imported or $LATEST version. If the function is imported from the same account use `fromFunctionAttributes()` API with the `sameEnvironment` flag.
at Object.addToResourcePolicy (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:212:21)
at Function.addToPrincipalOrResource (/Users/.../node_modules/aws-cdk-lib/aws-iam/lib/grant.ts:77:45)
at Import.grantInvoke (/Users/.../node_modules/aws-cdk-lib/aws-lambda/lib/function-base.ts:195:25)
at new LambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/data-source.ts:197:26)
at GraphqlApi.addLambdaDataSource (/Users/.../node_modules/@aws-cdk/aws-appsync-alpha/lib/graphqlapi-base.ts:106:12)
at new GraphqlbugStack (/Users/.../lib/graphqlbug-stack.ts:15:24)
at Object.<anonymous> (/Users/.../bin/graphqlbug.ts:7:1)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Module.m._compile (/Users/.../node_modules/ts-node/src/index.ts:1056:23)
at Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
Subprocess exited with error 1
CDK CLI Version
2.9.0
Framework Version
No response
Node.js Version
v16.13.2
OS
macOS Catalina
Language
Typescript
Language Version
TypeScript (4.5.5)
Other information
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Building cross-account AWS Lambda Resolvers for AWS ...
In this post, we look at how to set up AWS Lambda functions deployed on different AWS accounts to resolve data in AppSync...
Read more >API (GraphQL) - Configure Lambda resolvers - Amplify Docs
To create a pipeline resolver that calls out to multiple AWS Lambda functions in series, use multiple @function directives on the field.
Read more >Introduction to Lambda Resolvers with AWS Amplify - YouTube
Your browser can ' t play this video. ... #AWS # Lambda # Resolvers #Amplify #Enlear Welcome to my channel on AWS Cloud...
Read more >AWS AppSync - Create a Custom Lambda Resolver with ...
In this video, I show you how to implement custom resolvers in AWS AppSync. This use case is particularly helpful when you need...
Read more >AWS AppSync: No option to add Lambda resolver
When the pipeline page opens you select the "Actions" dropdown menu, and then you can choose the "Update runtime" option. Under resolver ......
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We seem to have stumbled on a rabbit hole here that was most recently modified here: https://github.com/aws/aws-cdk/pull/11369 (and that PR links to at least 2 others trying to do the same thing).
There are a few attributes you can try from
fromFunctionAttributes()
that are related:sameEnvironment
andallowPermissions
. But after hearing the use case you describe, I wonder if these will both still result in deploy time failures (since there is no way to attempt to modify imported resources). Perhaps we need to introduce a property likeskipPermissions
to address this use case.At any rate, I’m a bit out of my depth and I’ll wait for @skinny85 to weigh in.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.