Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support custom role setting for custom resources

See original GitHub issue

This is a Bug Report

Description

What went wrong?

We use our own role which is specified at the provider level. This role is used for every lambda. Since we added the Eventbridge event to a Lambda it fails to try to create a custom role (which it should not do since we use our predefined one).

I looked at the generated Cloudformation JSON and noticed that it is trying to create a Lambda using the handler (eventBridge/handler.handler) from custom resources. Additionally, it is creating a new role for this lambda called “IamRoleCustomResourcesLambdaExecution”. For every other Lambda, it is using our predefined Role so I think this is wrong.

What did you expect should have happened?

Custom-resources lambda should use the default role we specified.

What was the config you used?


provider:
  role: our ARN

functions:

  # Log from event bus
  LogEvent:
    handler: lambda.handler
    events:
      - eventBridge:
          eventBus: custom-saas-events
          pattern:
            source:
              - saas.external

What stacktrace or error message from your provider did you see?

Similar or dependent issues:

Additional Data

Serverless Framework Version you’re using: Framework Core: 1.50.0
Operating System: windows
Stack Trace:
Provider Error messages:

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:27 (14 by maintainers)

Top GitHub Comments

3reactions

hanikesncommented, Sep 20, 2019

See https://github.com/serverless/serverless/issues/6492#issuecomment-533476635

This is a real issue in enterprise enviroments where role creation might be restricted. E.g. by requiring a naming convention, permission boundary or just completely for developers.

Allowing a custom role here would let people work around that issue. Even it that requires a bit more effort.

3reactions

medikoocommented, Aug 27, 2019

@gordianberger thanks for that report.

Since we added the Eventbridge event to a Lambda it fails to try to create a custom role (which it should not do since we use our predefined one).

Why exactly it fails? Relying on custom resources is expected to work seamlessly with custom role setting

Custom-resources lambda should use the default role we specified.

Custom resource lambdas have very specific permission requirements, and those are in most cases very different from ones needed by service lambdas. I think it wouldn’t be nice if we would automatically assume that same role should be used for those and regular lambdas.

Still I think a worthwhile improvement would be to support a customResourceRole setting, through which you may state that existing, externally maintained, role should be used. Having that you may assign same ARN here as to role setting.

What do you think?

Top Results From Across the Web

Creating and managing custom roles - IAM - Google Cloud

This page describes how to create and manage Identity and Access Management (IAM) custom roles. Managing roles includes modifying, disabling, listing, ...

Azure custom roles - Azure RBAC | Microsoft Learn

When you create a custom role, you need to know the actions that are available to define your permissions. Typically, you start with...

Custom Roles | Rancher Manager

Go to the Global view and click Security > Roles. · On the Global tab, go to the role that the custom global...

Custom resources - AWS CloudFormation

Owns the custom resource and determines how to handle and respond to requests from AWS CloudFormation. The custom resource provider must provide a...

Extending the Kubernetes API with Custom Resources

Procedure · Create a cluster role definition file for the CRD. The cluster role definition is a YAML file that contains the rules...