API Gateway assigned same role as Lambda

[atif1996]

Issue

When the developer is providing a specific role and setting manage roles to false, Zappa takes the role provided in the role name argument and assigns it to both the Lambda and the Api Gateway. This is problematic.

1. ApiGateway now has access to everything your application code does, when it only needs access to invoke your lambda. It's unclear if these elevated privileges could be used to malicious ends.

2. The role now needs a trust relationship that allows Api Gateway to assume the role. If this trust relationship doesn't exist, zappa deploy appears to work, but your actual lambda never gets executed.

3. The documentation doesn't make clear that the role will be used for both Api Gateway and the Lambda function.

Errors as experienced by the user:

The user sees an "internal server error" message when trying to access the api. Zappa tail fails, because since the lambda never gets invoked, their is no log to tail.

When attempting to test the ApiGateway through the web console, the following error is found: in the gui for api-gateway when I run a test: Execution log for request test-request Thu Nov 17 14:40:49 UTC 2016 : Starting execution for request: test-invoke-request Thu Nov 17 14:40:49 UTC 2016 : HTTP Method: GET, Resource Path: /portal/ Thu Nov 17 14:40:49 UTC 2016 : Method request path: {proxy=portal/} Thu Nov 17 14:40:49 UTC 2016 : Method request query string: {} Thu Nov 17 14:40:49 UTC 2016 : Method request headers: {} Thu Nov 17 14:40:49 UTC 2016 : Method request body before transformations: null Thu Nov 17 14:40:49 UTC 2016 : Execution failed due to configuration error: API Gateway does not have permission to assume the provided role Thu Nov 17 14:40:49 UTC 2016 : Method completed with status: 500

Suggested Change

• Update the documentation to indicate the same role is used for both
• Provide a separate setting for the ApiGateway role to use
• Check the role on deploy and warn if ApiGateway and Lambda aren't explicitly allowed to assume into the role. Otherwise you get what looks like a successful deployment with a failing application.

[Miserlou]

Thanks for raising this, this is an excellent issue. Permissions/Roles/Policies overall need a thorough overview, on the whole, we've operated in the fashion of being permissive out of the box for developers and individuals, but providing the ability to bring your own policies if operating in a corporate/controlled environment.

Your suggestions look good to me, did you come up with what the best ApiGateway specific role to use looks like?

[atif1996]

Yes, I was able to work with Amazon to track that down. Basically I need a Role with a attached policy like AWSLambdaRole:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "lambda:InvokeFunction"
        ],
        "Resource": ["*"]
    }]
}

As you can see, this role allows the ApiGateway to invoke any lambda. Optimally, this would only allow ApiGateway to execute the Zappa Lambda.

The second pice is that the role needs to have a trust relationship with ApiGateway such that ApiGateway can assume into the role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I installed the Role as described and then used boto to switch the role that ApiGateway runs as (since its not editable in the Web Console) and everything is working pretty well.

[atif1996]

For anyone who also has this problem, the following Python will switch your credentials. The syntax was a little unexpected. Create your new role first, as described above, and then run the following in a python session.

import boto3
client = boto3.client('apigateway')
client.update_integration(
    restApiId=api_id,
    resourceId=resource_id,
    httpMethod='ANY',
    patchOperations=[
        {'op':'replace',
         'from': oldRoleArn,
         'value': newRoleArn, 
         'path': '/credentials'}]
)

[milan322]

i am facing this issue of internal server error after successful Zappa deployment of a simple flask application. I am using a role_name for lambda function creation in zappa settings. Could you please help me with this issue?

[atif1996]

@milan322 What do you get when you test the application through the web console?

[milan322]

@atif1996 hey sorry for the delayed reply. I made it work. I just needed to change the policy settings. as "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole"

Thanks for the response.

[hammadzz]

I think I can help managing roles. I am thinking we need to separate deployment from execution altogether. I think Terraform will be a better fit for deploying over Cloudformation. We have a mess with pip packages that are not even related to execution uploading into Lambda, like trophosphere (used to generation of cloud formation templates).

I think I can help with this but will need some support to understand how it currently works.