Skip to content

Fix permissions generation for Lambda ARNs with aliases #255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 16, 2019
Merged

Fix permissions generation for Lambda ARNs with aliases #255

merged 2 commits into from
Sep 16, 2019

Conversation

@NoxHarmonium
Copy link
Contributor

@NoxHarmonium NoxHarmonium commented Sep 16, 2019

We using ARN strings to specify Lambdas in step function tasks in one of our projects.
We can't use references like Ref: for various reasons and we build the ARN with string interpolation.

This worked fine up until we started using aliases and we started getting permission errors. It seems like the alias wildcard that was put into generate step function IAM role was appended to the ARN rather than replacing the specified alias.

This change strips off the alias if it already exists so the permission generation works correctly.

Previously this step definition:

SomeStep:
  Type: "Task"
  Resource: "arn:aws:lambda:${self:provider.region}:${self:provider.awsAccountId}:function:some-function:some-alias"
  End: true

Would create a step function role policy with a resource like:

{
    "Fn::Sub": [
    "${functionArn}:*",
    {
        "functionArn": "arn:aws:lambda:ap-southeast-2:12345678:function:some-function:some-alias"
    }
    ]
},

Which is invalid since the :* wild card is appended to the alias instead of replacing it.
It should actually look like this:

{
    "Fn::Sub": [
    "${functionArn}:*",
    {
        "functionArn": "arn:aws:lambda:ap-southeast-2:12345678:function:some-function"
    }
    ]
},

Let me know if this makes sense and I'm on the right track.

Thanks!

@NoxHarmonium
chore: update asl-validator version
1bb25cd 
- This brings in a fix to step function validation when using ARN
strings with aliases
@NoxHarmonium
fix: fix permissions issue with lambda ARN strings
ee94d8b 
- This fixes an issue when a lambda ARN string is used in a Task and it
has an alias
- Previously permissions would be created with alias wildcard appended
to the string that already had an alias, creating an invalid ARN
- This change strips off the alias if it already exists so the
permission generation works correctly
theburningmonk
theburningmonk approved these changes Sep 16, 2019
View reviewed changes
Copy link
Collaborator

@theburningmonk theburningmonk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@theburningmonk theburningmonk merged commit ab9c4f9 into serverless-operations:master Sep 16, 2019
@theburningmonk
Copy link
Collaborator

theburningmonk commented Sep 16, 2019

🎉 This PR is included in version 2.6.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

ss-betseqnzr pushed a commit to BetSEQNZR/serverless-step-functions that referenced this pull request Sep 8, 2023
@theburningmonk
Merge pull request serverless-operations#255 from agiledigital/master
4f33541 
Fix permissions generation for Lambda ARNs with aliases
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theburningmonk theburningmonk theburningmonk approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NoxHarmonium @theburningmonk