Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(custom-resources): support custom lambda role in provider framework #12126

Closed
1 task done
Ruben-E opened this issue Dec 17, 2020 · 2 comments · Fixed by #12131
Closed
1 task done

(custom-resources): support custom lambda role in provider framework #12126

Ruben-E opened this issue Dec 17, 2020 · 2 comments · Fixed by #12131
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@Ruben-E
Copy link
Contributor

Ruben-E commented Dec 17, 2020

My project uses custom resources with the provider framework to handle the callback to CloudFormation. Thanks for making that easier!

But the provider framework does not support a custom role for the lambda function yet.
We need it because the policy requires a permission boundary to be set on a role. Without permission boundary, roles cannot be created, including default roles.

Use Case

  • To pass a custom role with a permission boundary to the lambda.

Proposed Solution

const aCustomRole = new iam.Role(this, 'CustomRole', {
    assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
    managedPolicies: ...,
    permissionsBoundary: ...
});

const myProvider = new cr.Provider(this, 'MyProvider', {
    onEventHandler: onEvent,
    role: aCustomRole
});

Other

  • 👋 I may be able to implement this feature request

This is a 🚀 Feature Request
@Ruben-E Ruben-E added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 17, 2020
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Dec 17, 2020
Ruben-E added a commit to Ruben-E/aws-cdk that referenced this issue Dec 17, 2020
@Ruben-E
feat(custom-resources): supported custom role for provider lambda
192c256 
Added support to pass a custom role to the provider which the lambda will use. Can be used a.o. to pass a permission boundary.

closes aws#12126
@Ruben-E Ruben-E mentioned this issue Dec 17, 2020
Merged
@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 6, 2021

Aren't you better off using an escape hatch to add this PermissionBoundary field onto the generated role object? By the very nature of the framework being in the Core library it cannot use any of the IAM classes so it will be mostly string manipulation anyway.

@rix0rrr rix0rrr added effort/small Small work item – less than a day of effort p2 labels Jan 6, 2021
@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Jun 2, 2021
@rix0rrr rix0rrr removed their assignment Jun 3, 2021
@mergify mergify bot closed this as completed in #12131 Jun 7, 2021
mergify bot pushed a commit that referenced this issue Jun 7, 2021
@Ruben-E
feat(custom-resources): support custom lambda role in provider framew…
bc01207 
…ork (#12131)

Added support to pass a custom role to the provider which the lambda will use. Can be used a.o. to pass a permission boundary.

closes #12126


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jun 7, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

hollanddd pushed a commit to hollanddd/aws-cdk that referenced this issue Aug 26, 2021
@Ruben-E @hollanddd
feat(custom-resources): support custom lambda role in provider framew…
5afd312 
…ork (aws#12131)

Added support to pass a custom role to the provider which the lambda will use. Can be used a.o. to pass a permission boundary.

closes aws#12126


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(custom-resources): support custom lambda role in provider framework Ruben-E/aws-cdk
3 participants
@rix0rrr @Ruben-E @ryparker