-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-lambda: Defining a deadLetterQueue
or deadLetterTopic
will *always* add a policy to the function's execution role
#29879
Comments
deadLetterQueue
or deadLetterTopic
will *always* add a policy to the function's execution role
Hi @nathandines , thanks for reaching out and sharing the repro code. I am able to repro the issue and can see the policy being added despite importing role. Marking the issue as appropriate. |
|
|
Yes, your explanation makes sense to me. Looking at the pattern followed in the Lambda L2 Construct, and possibly other L2 constructs as well, it makes me think it was a conscious design choice. It is going to be a major change as it's likely that a lot of projects depend on these implicit permissions that the Construct is providing. Personally, I rely on the permissions that Lambda adds automatically if I add resources like a source SQS queue. |
Describe the bug
As indicated in the title, if you define a
deadLetterQueue
ordeadLetterTopic
on aFunction
, it will always append an inline policy to the execution role which is associated with the function.I would suggest that this is expected behaviour if the
Function
creates the IAM role, but it may be unexpected if the IAM role is defined elsewhere. It feels a lot like a side-effect. This feels like a problem within the same CloudFormation stack, but would probably be even more unexpected if the IAM role being referenced originated outside the stack.Expected Behavior
I created an IAM role and SQS queue adjacent to a Lambda Function. I would have expected that if my IAM role were lacking a permission, it would:
Current Behavior
IAM policies for SQS permission will indiscriminately be added to IAM roles no matter where that role originates from
Reproduction Steps
Relevant CDK Source Code
aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function.ts
Lines 1596 to 1599 in 5347369
aws-cdk/packages/aws-cdk-lib/aws-lambda/lib/function-base.ts
Lines 375 to 381 in 5347369
Partial Code to Reproduce Behaviour
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.114.1
Framework Version
2.114.1
Node.js Version
20.8.1
OS
macOS 14.2.1
Language
Python
Language Version
3.11.6
Other information
No response
The text was updated successfully, but these errors were encountered: