Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-s3-notifications): How to add event notification to existing bucket using existing role? #16173

Closed
timotk opened this issue Aug 23, 2021 · 7 comments
Closed

(aws-s3-notifications): How to add event notification to existing bucket using existing role? #16173

timotk opened this issue Aug 23, 2021 · 7 comments
Assignees
@otaviomacedo
Labels
@aws-cdk/aws-s3-notifications closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information.

Comments

@timotk
Copy link

timotk commented Aug 23, 2021

❓ General Issue

How to add event notification to existing bucket using existing role?

I would like to add a S3 event notification to an existing bucket that triggers a lambda. As describe here, this process will create a BucketNotificationsHandler lambda. However, I am not allowed to create this lambda, since I do not have the permissions to create a role for it:

<me> is not authorized to
perform: iam:CreateRole on resource: arn:aws:iam::<account>:role/<prefix>-BucketNotificationsHandler...

Is there a way to work around this? I am not in control of the full AWS stack, so I cannot simply give myself the appropriate permission. I am allowed to pass an existing role.

Here's a slimmed down version of the code I am using:

project_iam_role = aws_iam.Role.from_role_arn(
    self,
    id="myrole",
    role_arn="arn:aws:iam::<account>:role/<myrole>",     
    mutable=False,
)


bucket = aws_s3.Bucket.from_bucket_name(
    self, id="bucket", bucket_name="mybucket"
)

trigger_function = aws_lambda.Function(...)

bucket.add_event_notification(
                    aws_s3.EventType.OBJECT_CREATED,
                    aws_s3_notifications.LambdaDestination(trigger_function),
)

(Partial) output of cdk diff:

[+] AWS::IAM::Role BucketNotificationsHandler.../Role BucketNotificationsHandler050....
[+] AWS::IAM::Policy BucketNotificationsHandler.../Role/DefaultPolicy BucketNotificationsHandler050...RoleDefaultPolicy....
[+] AWS::Lambda::Function BucketNotificationsHandler....BucketNotificationsHandler...

Final error:

9:19:26 AM | CREATE_FAILED        | AWS::IAM::Role                | BucketNotification...
API: iam:CreateRole User: arn:aws:sts::<account>:assumed-role/<myrole>/<my-email> is not authorized to
perform: iam:CreateRole on resource: arn:aws:iam::<account>:<myyrole>/....BucketNotificationsHandl-...

Environment

  • CDK CLI Version: 1.117.0
  • Module Version: 1.119.0
  • Node.js Version: v16.6.2
  • OS: macOS Big Sur
  • Language (Version): Python 3.8

Other information

related isssues:
@timotk timotk added guidance Question that needs advice or information. needs-triage This issue or PR still needs to be triaged. labels Aug 23, 2021
@otaviomacedo
Copy link
Contributor

At the moment, there is no way to pass your own role to create BucketNotificationsHandler. And I don't even know how we could change the current API to accommodate this. It wouldn't make sense, for example, to add an IRole to the signature of addEventNotification.

What you can do, however, is create your own custom resource (copied from the CDK) replacing the role creation with your own role.

@timotk
Copy link
Author

timotk commented Aug 26, 2021
edited

@otaviomacedo Thanks for your comment. Why would it not make sense to add the IRole to addEventNotification? From my limited understanding it seems rather reasonable.

By custom resource, do you mean using the following code, but in my own Stack? https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L27, where you would set your own role at https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L61 ?

E.g:

constructor(scope: Construct, id: string) {
    super(scope, id);

    this.role = // use my existing role here.

@bmkennedy-hcg
Copy link

I am also dealing with this issue. I don't have rights to create a user role so any attempt to run CDK calling .addEventNotification() fails. Interestingly, I am able to manually create the event notification in the console., so that must do the operation without creating a new role. It's not clear to me why there is a difference in behavior.

@britzp
Copy link

britzp commented Sep 2, 2021

I am also having this issue. I don't have a workaround. I tried to make an Aspect to replace all IRole objects, but aspects apparently run after everything is linked.

@otaviomacedo
Copy link
Contributor

Why would it not make sense to add the IRole to addEventNotification? From my limited understanding it seems rather reasonable.

@timotk addEventNotification provides a clean abstraction: type, target and filters. The role of the Lambda function that triggers the notification is an implementation detail, that we don't want to leak.

By custom resource, do you mean using the following code, but in my own Stack? https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L27, where you would set your own role at https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-s3/lib/notifications-resource/notifications-resource-handler.ts#L61 ?

Yes, exactly.

@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Sep 7, 2021
@peterwoodworth peterwoodworth added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Sep 8, 2021
@peterwoodworth
Copy link
Contributor

Closing because this seems wrapped up. Ping me if you have any other questions

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@BDeus BDeus mentioned this issue May 17, 2022
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@otaviomacedo otaviomacedo

Labels
@aws-cdk/aws-s3-notifications closing-soon This issue will automatically close in 4 days unless further comments are made. guidance Question that needs advice or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@otaviomacedo @timotk @ryparker @peterwoodworth @britzp @bmkennedy-hcg