lambda:ListTags will be required soon

DataBiosphere / azul

Metadata indexer and query service used for AnVIL, HCA, LungMAP, and CGP

Apache License 2.0

7 stars 2 forks source link

lambda:ListTags will be required soon #6387

Open hannes-ucsc opened 4 months ago

hannes-ucsc commented 4 months ago

We are contacting you because we are making a change to the Lambda GetFunction API authorization which may require your action.

Previously, permissions on ListTags were required only when using the ListTags API explicitly. However, principals with GetFunction API permissions could still access tag information outputted by the GetFunction call. Beginning July 27, 2024, Lambda will return tags data only when the principal calling GetFunction API has a policy with explicit allow permission on ListTags API. When the role calling the GetFunction API has a policy with a deny or has no policy with explicit allow access to ListTags API, Lambda will not return tags data in the response to the GetFunction API call.

We identified your account has roles with allow access to the GetFunction API, however, the policy does not allow access to the ListTags API. If you intend to continue receiving tags data using the GetFunction API, you must add a policy to the AWS Identity and Access Management (IAM) role used to call the GetFunction API with an explicit “allow access to the ListTags API. Please refer to our "Permissions required for working with tags" user guide for information about the permissions required for using tags with Lambda resources [1].

To allow you time to review and make necessary changes, we have added your account to an allow list until September 1, 2024. After this date, calls to the GetFunction API will return tags data only if the caller has explicit allow access to the ListTags API. If the caller does not have allow access to the ListTags or has deny access to the ListTags API, the GetFunction API will return function configuration excluding tags data. Additionally, the message will include the new TagsError object which provides the reason for not returning the tags data.

Please refer to our "Adding and removing IAM identity permissions" user guide for information on adding missing permissions to existing users [2].

If you need more time to take action, or have questions, please contact AWS Support [3].

[1] https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#permissions-required-for-working-with-tags-cli [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html [3] https://aws.amazon.com/support

Sincerely, Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

hannes-ucsc commented 4 months ago

The developer role has ListTags, the azul-gitlab role does not. Assignee to create PR that adds lambda:GetTags to the permissions of the azul-gitlab role, next to where GetFunction is granted. Assignee to also check other grants of GetFunction. I checked the service and indexer roles and they don't have it, but I'd like the assignee to verify that we don't need to add GetTags anywhere but else.

dsotirho-ucsc commented 4 months ago

No action required. lambda:GetFunction is not granted to the azul-gitlab role, rather lambda:ListFunctions is. From what I can tell, lamda:ListTags is not required for lambda:ListFunctions, only for lambda:GetFunction.

https://docs.aws.amazon.com/lambda/latest/api/API_ListTags.html

Returns a function's tags. You can also view tags with GetFunction.

Customer managed policies (on dev):

AccessAnalyzerMonitorServicePolicy_FVO5QVBD5V: Does not grant any lambda: actions.
cloud_enforcer_policy_platform-hca-dev: Grants both lambda:GetFunction and lambda:ListTags actions.
developer: Grants both lambda:GetFunction and lambda:ListTags actions (via a wildcard allow "NotAction": "iam:*",).
azul-gitlab_vpc: Does not grant any lambda: actions.
azul-gitlab-iam: Does not grant any lambda: actions.
azul-boundary: Grants the lambda:ListFunctions action

achave11-ucsc commented 4 months ago

@hannes-ucsc: "The azul-gitlab role does get lambda:GetFunction from the boundary policy (see screenshot below). Assignee to use the IAM Policy evaluator in the AWS Console in order to reproduce my experiment which led me to believe that azul-gitlab does not have lambda:GetTags."

screenshot

dsotirho-ucsc commented 4 months ago

Against any resource (*) the azul-gitlab role does not have GetFunction or ListTags permission.

Screenshot 2024-07-10 at 5 37 24 PM

Against an azul-* resource (azul-service-dev), the azul-gitlab roles does have GetFunction and ListTags permissions.

Screenshot 2024-07-10 at 5 36 53 PM

hannes-ucsc commented 4 months ago

I checked again and cannot reproduce my observation.

Unrelatedly, assignee to remove the cloud_enforcer_policy_platform-hca-dev policy.

Then close as won't fix.

achave11-ucsc commented 4 months ago

I don't have the appropriate authorization to remove the cloud_enforcer_policy_platform-hca-dev policy. From the trail logs:

User: arn:aws:sts::122796619775:assumed-role/developer/achave11@ucsc.edu is not authorized to perform: iam:DeletePolicyVersion on resource: policy arn:aws:iam::122796619775:policy/cloud_enforcer_policy_platform-hca-dev because no identity-based policy allows the iam:DeletePolicyVersion action

failed-rm

achave11-ucsc commented 1 month ago

From an AWS Action Required notification:

This is a follow-up to the communication you may have received on July 4, 2024 about a change to Lambda GetFunction API authorization, which may require your action. We have delayed the implementation of that change from the previously communicated date of July 27, 2024 to October 2, 2024. In addition, to accommodate additional time for you to review and make necessary changes, we have added your account to an exception list until November 11, 2024.