Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Permission resource is not created for imported lambda function

See original GitHub issue

Resource Policy is not being created for Lambda when using Lambda version but is being created when using new Lambda.

Reproduction Steps:

  • Create a new lambda function and publish a new version for it.

  • Create a new resource policy for the created lambda version.

Example shows creating new resource policy for api gateway to invoke weatherFunction lambda version 13

_lambda.Version.from_version_attributes(self, id='stageVersion',lambda_=weatherFunction,version='13').add_permission(id='invokeweatherfnversion13',principal=iam.ServicePrincipal(service='apigateway.amazonaws.com'),
        action='lambda:InvokeFunction',source_arn=api.arn_for_execute_api(stage='dev', method='GET',path='/')
        )

Error Log

No error message

Environment

  • **CLI Version : 1.34.1
  • **Framework Version: 1.34.1
  • **OS : Mac Mojave 10.14.6
  • **Language :Python

Other

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:13
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

4reactions
A-Hilalycommented, Aug 11, 2020

@SKIIDK - canCreatePermissions is a protected member of the class. You cannot control it from outside the class.

Work around is to create a CfnPermission class like so -

https://github.com/aws/aws-cdk/blob/6407535863c06d6d3ccfc2c3f2b59470d2d88993/packages/%40aws-cdk/aws-lambda/lib/function-base.ts#L212-L219

With @Hugodby we found a detailed work around using this template, with apigateway and lambda authorizers


        // parameters
        const authorizerFunctionArn = new cdk.CfnParameter(this, "authorizerFunctionArn", {
          type: "String",
          default: "arn:aws:lambda:eu-west-1:XXXXXXXXX:XXXXXXXXX",
          description: "ARN of the LambdaAuthorizer"},
        );

       // authorizer lambda
        const authFunction = lambda.Function.fromFunctionArn(this,
          "lambda-authorizer",
          authorizerFunctionArn.valueAsString,
        )
        
        // api gateway
        const TestApi = new apigateway.RestApi(this, 'TestApi', {
            restApiName: 'TestService'
        });

        new lambda.CfnPermission(this, id+"test01", {
          action: "lambda:InvokeFunction",
          principal: 'apigateway.amazonaws.com',
          functionName: authorizerFunctionArn.valueAsString,
          sourceArn: cdk.Arn.format(
            {
              service: "execute-api", 
              resource: TestApi.restApiId,
              resourceName: "authorizers/*",
            },
            this,
          ),
        });
3reactions
nija-atcommented, Jun 8, 2020

@SKIIDK - canCreatePermissions is a protected member of the class. You cannot control it from outside the class.

Work around is to create a CfnPermission class like so - https://github.com/aws/aws-cdk/blob/6407535863c06d6d3ccfc2c3f2b59470d2d88993/packages/%40aws-cdk/aws-lambda/lib/function-base.ts#L212-L219

Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS CDK give permission to resources outside the stack
To add permission to an imported lambda function, you have to use fromFunctionAttributes() and sameEnvironment flag
Read more >
AWS::Lambda::Permission - AWS CloudFormation
The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function...
Read more >
aws.lambda.Function - Pulumi
Documentation for the aws.lambda.Function resource with examples, input properties, output properties, lookup functions, and supporting types.
Read more >
AWS::Lambda::Permission - Amazon CloudFormation
The AWS::Lambda::Permission resource grants an Amazon service or another account permission to use a function. You can apply the policy at the function...
Read more >
Insufficient privileges for accessing data in S3 when running a ...
I am trying to create a lambda function to automate the creation of a dataset import job in Personalize.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

cdk synth does not include the metadata in the json generated file

Next page

Artifacts via extraInputs on CodeBuildAction dont show up