Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(custom-resources): Provider function needs lambda:GetFunction permission for waiter to succeed #28954

Closed
ejt4x opened this issue Feb 1, 2024 · 3 comments
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@ejt4x
Copy link

ejt4x commented Feb 1, 2024

Describe the bug

If an initial user function invocation fails, the custom resource Provider function will wait for it to be ready with a waitUntilFunctionActiveV2 API call.

https://github.com/aws/aws-cdk/blob/v2.124.0/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts#L47-L73

https://docs.aws.amazon.com/cli/latest/reference/lambda/wait/function-active-v2.html#description

Waits for the function's State to be Active. This waiter uses GetFunction API

The provider function needs lambda:GetFunction permission on the user function for this waiter to succeed, otherwise the following error will be seen in CloudTrail:

User : <provider function role> is not authorized to perform: lambda:GetFunction on resource: <user function> because no identity-based policy allows the lambda:GetFunction action

CDK should automatically add this permission to the Provider function role.

Expected Behavior

Provider function will wait for function to become active if the first invocation fails.

Current Behavior

If first invocation fails, the Provider function will immediately fail with an error message about the waiter timeout. This masks the true failure reason.

Reproduction Steps

new CustomResource(this, 'CustomResource', {
        serviceToken:   new Provider(this, 'MyProvider', {
        onEventHandler: userLambdaFunction,
      })
    });

The provider function invocation role does not have lambda:GetFunction permission on the user lambda function. If the user lambda fails to invoke for any reason, the waiter will fail immediately.

Possible Solution

Automatically add the required IAM permission when the Provider is created

Additional Information/Context

No response

CDK CLI Version

2.123.0 (build a594112)

Framework Version

No response

Node.js Version

18.x

OS

AL2

Language

TypeScript

Language Version

No response

Other information

No response

@ejt4x ejt4x added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 1, 2024
@github-actions github-actions bot added the @aws-cdk/custom-resources Related to AWS CDK Custom Resources label Feb 1, 2024
@ejt4x
Copy link
Author

ejt4x commented Feb 1, 2024

Similar to #24358, this error is only seen when larger numbers (8+) of Custom Resources are deployed to certain regions, where they stack up and are not immediately active, thus entering the waiter pattern.

@ejt4x
Copy link
Author

ejt4x commented Feb 1, 2024

It appears this is a duplicate of #26838, but the lambda waiter call changed at some point from waitFunctionActive to waitFunctionActiveV2. This changed the required IAM permission from lambda:GetFunctionConfiguration to lambda:GetFunction. Will close and comment on that one.

@ejt4x ejt4x closed this as not planned Won't fix, can't repro, duplicate, stale Feb 1, 2024
Copy link

github-actions bot commented Feb 1, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/custom-resources Related to AWS CDK Custom Resources bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Development

No branches or pull requests

1 participant