Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Lambda: Principal conditions don't get translated to AWS::Lambda::Permissions fields

See original GitHub issue

Trying to great a ServicePrincipal for use in a Function.grantInvoke call.

Want to add conditions so that it is scoped to a particular bucket ala e.g. here https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

I’ve tried varaitions in conditions for the keys like arnLike awsSourceArn

tried using this as reference

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

How is this supposed to work? No examples in docs or elsewhere on interwebs

Reproduction Steps

        const spOptions = {
            conditions:{
                'arn:like':{
                    "aws:SourceArn" : bucketName
                }
            }
        }
        const sp = new ServicePrincipal('s3.amazonaws.com', spOptions)
        console.log('Service Principal', sp.policyFragment)
        this.launcherFunction.grantInvoke(sp)

doing this i see my conditions in the policyFragment output but doesn’t generate any conditions in the resulting cloudformation

{
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:InvokeFunction",
        "FunctionName": {
          "Fn::GetAtt": [
            "xxxLauncher5BB90C90",
            "Arn"
          ]
        },
        "Principal": "s3.amazonaws.com"
      },
      "Metadata": {
       ...
      }
    }

Error Log

Environment

**CLI Version : aws-cli/2.0.9
Framework Version: 1.40.0
**OS 😗*ubuntu 16.04
Language : typescript

Other

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:7
Comments:11 (1 by maintainers)

Top GitHub Comments

5reactions

david-wang-1commented, Nov 10, 2020

Any updates on prioritization for this fix? The workaround from @rix0rrr does not appear to work.

4reactions

ScDavidcommented, Dec 8, 2020

I experienced the same problem. Additionally using PrincipalWithConditions seems no to be supported as principal in Lambda permission: Invalid principal type for Lambda permission statement: PrincipalWithConditions. Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal

Top Results From Across the Web

Lambda permissions - AWS Documentation

Learn how to manage permissions to the Lambda API and your Lambda resources using IAM policies.

Actions, resources, and condition keys for AWS Lambda

Actions Description Access level Resour... CreateFunction Grants permission to create an AWS Lambda function Write function* CreateFunction Grants permission to create an AWS Lambda function...

Troubleshoot Lambda permissions issues - Amazon AWS

1. If the Lambda function is supposed to invoke another function or another AWS service and it's failing, check the Lambda execution role....

Resources and conditions for Lambda actions

You reference a Lambda function in a policy statement using an Amazon Resource Name (ARN). The format of a function ARN depends on...

Aws_lambda_permission conditions - HashiCorp Discuss

I'm trying to create a Lambda Resource Policy in AWS using TF. ... Lambda: Principal conditions don't get translated to AWS::Lambda::Permissions fields.