Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-s3): supply custom role when adding bucket notifications #13241

Closed
JoelG-AWS opened this issue Feb 24, 2021 · 7 comments
Closed

(aws-s3): supply custom role when adding bucket notifications #13241

JoelG-AWS opened this issue Feb 24, 2021 · 7 comments
Labels
@aws-cdk/aws-s3 Related to Amazon S3 closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. p1

Comments

@JoelG-AWS
Copy link

JoelG-AWS commented Feb 24, 2021
edited by iliapolo

Hello Team. I am working on a customer engagement , which is attempting to leverage cdk to help deploy a series of Lambda functions . One of behaviors that we noticed, when we added an S3 event source to a lamda cdk definition, it auto generates BucketNotificationsHandler IAM role and policy . Our customer has a unique corporate policy that prevents the role used to deploy the application stack from changing/creating any IAM resources. Any insight in how we can suppress the auto creation of the following role when the cdk is synthesized. Below is the code snippet we are using to initialize our lambda function . Your assistance is greatly appreciate , and let me know if you need additional details .

lambda_.Function(
           self,
           "TestLambda",
           runtime=lambda_.Runtime.PYTHON_3_8,
           code=lambda_.Code.from_asset(
               "code_dir"
           ),
           handler="index.lambda_handler",
           timeout=core.Duration.seconds(30),
           events=[
               lambda_event_sources.S3EventSource(
                   bucket=input_bucket,
                   events=[s3.EventType.OBJECT_CREATED],
               )
           ],
           role=iam.Role.from_role_arn(
               self,
               id="Testlambda",
               role_arn=role_arn”,
               mutable = False,
           ),
       )

This exact same situation happens with EKS cluster . In which a cluster creator role and IAM role is created . Due to our unique corporate policy we need to suppress the auto creation of roles in CDK .

Reproduction Steps

Create a Lamda function in cdk with the following event specified .

events=[
               lambda_event_sources.S3EventSource(
                   bucket=input_bucket,
                   events=[s3.EventType.OBJECT_CREATED],
               )

What did you expect to happen?

If a role is defined and provided as input to a module, another role would not be created by cdk .

Stop the auto creation of IAM role and policies .

What actually happened?

The roles are still created even though a role is provided in the input .

Environment

  • **CDK CLI Version :**1.88
  • Framework Version:
  • Node.js Version:
  • **OS :**MacOS
  • Language (Version): Python 3.8.2

Other

This is 🐛 Bug Report
@JoelG-AWS JoelG-AWS added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 24, 2021
@JoelG-AWS JoelG-AWS changed the title (module name): short issue description Suppress auto creation of IAM Role and Policy Feb 24, 2021
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Feb 24, 2021
@rix0rrr
Copy link
Contributor

rix0rrr commented Feb 24, 2021

Looks like it's not currently possible.

@rix0rrr rix0rrr added @aws-cdk/aws-s3 Related to Amazon S3 and removed @aws-cdk/aws-iam Related to AWS Identity and Access Management labels Feb 24, 2021
@rix0rrr rix0rrr assigned iliapolo and unassigned rix0rrr Feb 24, 2021
@rix0rrr rix0rrr changed the title Suppress auto creation of IAM Role and Policy s3 event source: supply custom role when adding bucket notifications Feb 24, 2021
@spsoni
Copy link

spsoni commented Feb 26, 2021

I have a similar issue. I am using SQS as my event source for Lambda trigger. As per my enterprise policy as well, we are not allowed to create new IAM roles on the fly. Can we pass in an existing role here?

I even tried to hack into python code to disable queue.grantConsumeMessages, but due to JSII architecture, I cannot hack into the bind behaviour here.

`
def do_nothing(target):
pass

    self.sqs_ready_to_sync.grant_consume_messages = do_nothing

    event_source = SqsEventSource(
        self.sqs_ready_to_sync,
        batch_size=input_params.get('sqs_ready_to_sync_batch_size', 10)
    )
    event_source.queue.grant_consume_messages = do_nothing

    lambda_sync.add_event_source(
        event_source
    )

`

@iliapolo
Copy link
Contributor

iliapolo commented Mar 1, 2021

This isn't currently possible unfortunately. Marking as a feature request to somehow provide the notification handler role externally. Or maybe the ability to instantiate the NotificationHandler itself and provide that to the bucket.

@iliapolo iliapolo added feature-request A feature should be added or improved. p1 effort/medium Medium work item – several days of effort and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 1, 2021
@iliapolo iliapolo changed the title s3 event source: supply custom role when adding bucket notifications (aws-s3): supply custom role when adding bucket notifications Mar 1, 2021
@ericzbeard ericzbeard added the feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. label Apr 1, 2021
@iliapolo iliapolo removed their assignment Jun 27, 2021
@oll-isaiahgrant oll-isaiahgrant mentioned this issue Oct 25, 2021
Open
@otaviomacedo otaviomacedo mentioned this issue Dec 1, 2021
Merged
mergify bot pushed a commit that referenced this issue Jan 24, 2022
@otaviomacedo
feat(s3): custom role for the bucket notifications handler (#17794)
43f232d 
Allow users to pass a custom role to `Bucket`, which will be used by the notifications handler.

Fixes #9918, #13241.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
LukvonStrom pushed a commit to LukvonStrom/aws-cdk that referenced this issue Jan 26, 2022
@otaviomacedo @LukvonStrom
feat(s3): custom role for the bucket notifications handler (aws#17794)
576a6a2 
Allow users to pass a custom role to `Bucket`, which will be used by the notifications handler.

Fixes aws#9918, aws#13241.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@otaviomacedo @TikiTDO
feat(s3): custom role for the bucket notifications handler (aws#17794)
ba6e2a5 
Allow users to pass a custom role to `Bucket`, which will be used by the notifications handler.

Fixes aws#9918, aws#13241.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@NGL321 NGL321 mentioned this issue Mar 8, 2022
Closed
@github-actions
Copy link

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jun 28, 2022
@github-actions github-actions bot added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Jul 3, 2022
@github-actions github-actions bot closed this as completed Jul 3, 2022
@pchaganti
Copy link

Anything on this? Ability to control the role used by the noitificationshandler is quite important in locked down enterprise environments.

@jhmarlow
Copy link

jhmarlow commented Oct 3, 2023

Hi, this still seems to be an issue, is there any work around for this?

@namedgraph
Copy link

@rix0rrr @iliapolo this is not currently possible with CDK and yet the AWS Marketplace requires a custom policy for the S3 notifications.

In the IAM policy, the following WRITE action(s) support resource-level permissions. You must narrow the scope of the following action(s) by specifying resources and/or adding condition keys

This makes no sense 😠

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-s3 Related to Amazon S3 closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature/enhancement A new API to make things easier or more intuitive. A catch-all for general feature requests. feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@pchaganti @spsoni @rix0rrr @ericzbeard @namedgraph @iliapolo @jhmarlow @JoelG-AWS