Lambda: Principal conditions don't get translated to AWS::Lambda::Permissions fields
See original GitHub issueTrying to great a ServicePrincipal for use in a Function.grantInvoke call.
Want to add conditions so that it is scoped to a particular bucket ala e.g. here https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
I’ve tried varaitions in conditions for the keys like
arnLike
awsSourceArn
tried using this as reference
How is this supposed to work? No examples in docs or elsewhere on interwebs
Reproduction Steps
const spOptions = {
conditions:{
'arn:like':{
"aws:SourceArn" : bucketName
}
}
}
const sp = new ServicePrincipal('s3.amazonaws.com', spOptions)
console.log('Service Principal', sp.policyFragment)
this.launcherFunction.grantInvoke(sp)
doing this i see my conditions in the policyFragment output but doesn’t generate any conditions in the resulting cloudformation
{
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"xxxLauncher5BB90C90",
"Arn"
]
},
"Principal": "s3.amazonaws.com"
},
"Metadata": {
...
}
}
Error Log
Environment
- **CLI Version : aws-cli/2.0.9
- Framework Version: 1.40.0
- **OS 😗*ubuntu 16.04
- Language : typescript
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:7
- Comments:11 (1 by maintainers)
Top Results From Across the Web
Lambda permissions - AWS Documentation
Learn how to manage permissions to the Lambda API and your Lambda resources using IAM policies.
Read more >Actions, resources, and condition keys for AWS Lambda
Actions Description Access level Resour...
CreateFunction Grants permission to create an AWS Lambda function Write function*
CreateFunction Grants permission to create an AWS Lambda function...
Read more >Troubleshoot Lambda permissions issues - Amazon AWS
1. If the Lambda function is supposed to invoke another function or another AWS service and it's failing, check the Lambda execution role....
Read more >Resources and conditions for Lambda actions
You reference a Lambda function in a policy statement using an Amazon Resource Name (ARN). The format of a function ARN depends on...
Read more >Aws_lambda_permission conditions - HashiCorp Discuss
I'm trying to create a Lambda Resource Policy in AWS using TF. ... Lambda: Principal conditions don't get translated to AWS::Lambda::Permissions fields.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Any updates on prioritization for this fix? The workaround from @rix0rrr does not appear to work.
I experienced the same problem. Additionally using PrincipalWithConditions seems no to be supported as principal in Lambda permission: Invalid principal type for Lambda permission statement: PrincipalWithConditions. Supported: AccountPrincipal, ArnPrincipal, ServicePrincipal