Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

(aws-lambda): grant invoke twice with different principals #15710

Closed
TRANTANKHOA opened this issue Jul 22, 2021 · 8 comments · Fixed by #20174
Closed

(aws-lambda): grant invoke twice with different principals #15710

TRANTANKHOA opened this issue Jul 22, 2021 · 8 comments · Fixed by #20174
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2

Comments

@TRANTANKHOA
Copy link

I grant invoke for my lambda to 2 different principles and only one resource policy created.

Reproduction Steps

lambda.grantInvoke(new ServicePrincipal('s3.amazonaws.com').withConditions({
    ArnLike: {
        'aws:SourceArn': aBucket.bucketArn,
    },
    StringEquals: {
        'aws:SourceAccount': this.node.tryGetContext('account'),
    },
}))
lambda.grantInvoke(new ServicePrincipal('s3.amazonaws.com').withConditions({
    ArnLike: {
        'aws:SourceArn': bBucket.bucketArn,
    },
    StringEquals: {
        'aws:SourceAccount': this.node.tryGetContext('account'),
    },
}))

Expect 2 different resource policies created

What actually happened?

Deployment went ok, only first policy created

Statement ID: LambdaInvokeServicePrincipals3amazonawscomF32-78TTVCKWLPHK
Principal: s3.amazonaws.com
Effect: Allow
Action: lambda:InvokeFunction
Conditions: {
 "StringEquals": {
  "AWS:SourceAccount": "111122223333"
 },
 "ArnLike": {
  "AWS:SourceArn": "arn:aws:s3:::a-bucket"
 }
}

Environment

  • **CDK CLI Version : 1.115.0
  • **Node.js Version: v14.17.3
  • **OS: Windows
  • **Language (Version): TypeScript

This is 🐛 Bug Report
@TRANTANKHOA TRANTANKHOA added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 22, 2021
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Jul 22, 2021
@nija-at
Copy link
Contributor

nija-at commented Jul 28, 2021

Acknowledged that this is a bug.

The bug is coming from

aws-cdk/packages/@aws-cdk/aws-lambda/lib/function-base.ts

Lines 309 to 310 in dbe4641

// Memoize the result so subsequent grantInvoke() calls are idempotent
let grant = this._invocationGrants[identifier];

The key to the memoization should not just be the identifier, which in this case is s3.amazonaws.com. The fix is to update the identifier to be the "hash" of the Grantable object passed.

The workaround for this is to use lambda.addPermission() instead.

@nija-at nija-at removed the needs-triage This issue or PR still needs to be triaged. label Jul 28, 2021
@nija-at
Copy link
Contributor

nija-at commented Jul 28, 2021

Since there is a workaround and we have only received one report on this so far, I am unassigning and marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback.

@nija-at nija-at added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 labels Jul 28, 2021
@nija-at nija-at removed their assignment Jul 29, 2021
@deepak-sreekumar
Copy link

@nija-at Can I take a stab at this?
Proposed solution:
As you suggested, using object-hash and changing the identifier to something like
const identifier = `Invoke${MD5(grantee.grantPrincipal)}`; .

@deepak-sreekumar deepak-sreekumar mentioned this issue Oct 4, 2021
Closed
@deepak-sreekumar
Copy link

Raised a PR. Please take a look @nija-at @njlynch . Thanks.

@Dzhuneyt Dzhuneyt mentioned this issue Jan 31, 2022
Closed
@Dzhuneyt
Copy link
Contributor

Dzhuneyt commented Jan 31, 2022
edited
Loading

The PR mentioned above was a bit outdated. I've created a new one using the newer Template.fromStack(stack) syntax for tests as well as using the NodeJS built-in Crypto package. @nija-at @njlynch

@Dzhuneyt
Copy link
Contributor

The PR now integrated green @nija-at @njlynch. In case you wanted to take a look.

@Dzhuneyt Dzhuneyt mentioned this issue May 2, 2022
Merged
4 tasks
@Dzhuneyt
Copy link
Contributor

Dzhuneyt commented May 2, 2022

@nija-at @njlynch - open to any feedback here. I've created a new "clean" PR.

@mergify mergify bot closed this as completed in #20174 May 4, 2022
mergify bot pushed a commit that referenced this issue May 4, 2022
@Dzhuneyt
fix(lambda): grant invoke twice with different principals (#20174)
bb4c950 
Supercedes: #18748 (which got too messy due to conflicts)
Closes #15710
----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented May 4, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

wphilipw pushed a commit to wphilipw/aws-cdk that referenced this issue May 23, 2022
@Dzhuneyt @wphilipw
fix(lambda): grant invoke twice with different principals (aws#20174)
8785555 
Supercedes: aws#18748 (which got too messy due to conflicts)
Closes aws#15710
----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2
Projects
None yet
Milestone
No milestone
4 participants
@Dzhuneyt @TRANTANKHOA @nija-at @deepak-sreekumar