(custom-resources): Provider function needs lambda:GetFunction permission for waiter to succeed #28954
Labels
@aws-cdk/custom-resources
Related to AWS CDK Custom Resources
bug
This issue is a bug.
needs-triage
This issue or PR still needs to be triaged.
Describe the bug
If an initial user function invocation fails, the custom resource Provider function will wait for it to be ready with a
waitUntilFunctionActiveV2
API call.https://github.com/aws/aws-cdk/blob/v2.124.0/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L47-L73
https://docs.aws.amazon.com/cli/latest/reference/lambda/wait/function-active-v2.html#description
The provider function needs
lambda:GetFunction
permission on the user function for this waiter to succeed, otherwise the following error will be seen in CloudTrail:CDK should automatically add this permission to the Provider function role.
Expected Behavior
Provider function will wait for function to become active if the first invocation fails.
Current Behavior
If first invocation fails, the Provider function will immediately fail with an error message about the waiter timeout. This masks the true failure reason.
Reproduction Steps
The provider function invocation role does not have
lambda:GetFunction
permission on the user lambda function. If the user lambda fails to invoke for any reason, the waiter will fail immediately.Possible Solution
Automatically add the required IAM permission when the Provider is created
Additional Information/Context
No response
CDK CLI Version
2.123.0 (build a594112)
Framework Version
No response
Node.js Version
18.x
OS
AL2
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: