[Lambda] provisioning resource-based policies?

[karmingc]

Reference: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

Is this currently possible? If not, is there a way to see a roadmap of the available AWS controllers?

Thank you!

[vijtrip2]

If not, is there a way to see a roadmap of the available AWS controllers?

Hi @karmingc , you can see all the issues for a specific service controller using the label for that service name. Ex: https://github.com/aws-controllers-k8s/community/issues?q=is%3Aissue+is%3Aopen+label%3ALambda+

The main issues being "Lambda Service Controller" and "Lambda Service Controller GA release" . Similar pattern is followed for all service controllers.

[vijtrip2]

Is this currently possible?

Looking at the supported resources and the spec of the Function resource, i do not think it is possible right now. @A-Hilaly, thoughts?

[a-hilaly]

We can add a Permission field to the lambda CRD, the same way we did for the function CodeSigningConfig field. I'll try to add this feature before lambda is released for GA

[a-hilaly]

Hi @karmingc - I just realized that there are no API calls to describe function permissions... hence I don't think this feature is possible to implement, for now.

[a-hilaly]

/priority awaiting-more-evidence

[karmingc]

ok no worries, thank you for your response!

[a-hilaly]

I think @biosugar0 raised a good point in #1488 - it look's like GetPolicy is what we need to call to describe function permissions.

[a-hilaly]

/priority important-soon

[gagan-eg]

Yeah we also need this feature to allow setting up lambda's which are invoked by other AWS services.

[a-hilaly]

I discussed with few folks from the lambda team about this issue. Looks like it's gonna be more complicated to support Permissions, ProvisionConcurencyConfig and FunctionInvokeConfig than i initially thought. I will create a Github issue explaining why and how are we going to support them.

[cep21]

Until this is resolved, does anyone here have a good workaround? Our specific case is secret password rotation lambdas from AWS Secret Manager, which requires the lambda to be executed by Secrets Manager.

[a-hilaly]

Unfortunately, there is currently no workaround (using ACK). There are multiple possible solutions, but we have chosen not to implement them at this time as the controller is in GA and we don't want to risk causing any breaking changes. We are drafting a document outlining the different solutions and their respective user experiences. We would also like to gather feedback from users before making a final decision. @cep21 @karmingc, @gagan-eg, @biosugar0 would either of you be available for a call next month to discuss this further? Probably a better alternative: we could also publish a design document PR so can provide feedback there.

[cep21]

feedback from users before making a final decision

I don't mind meeting, but it's likely not necessary: the use case is simple (secrets manager rotation of passwords via lambda). I trust any solution or workaround amazon can come up with is fine.

we could also publish a design document PR

That works.

workarounds

One workaround we tried was making the lambda in terraform, which already supports all the IAM stuff we need, and having ACK only manage image rotations of the lambda code (the part we really care about). The blocker there was that adoption of resources creates the CRD lambda and places it in the cluster for us, when we would rather the CRD exist inside flux.

Are there any workarounds that work if we are OK doing the management of the lambda inside terraform, and just need ACK to auto update the code?

[gagan-eg]

I would be available for a call if needed. For us it was attaching lambda permission so it could be invoked on S3 bucket upload by S3. I just had to move everything to TerraForm instead of ACK for this. The main reason to use ack is that lambda image updates are much easier for developers, since we use gitops (argocd) and EKS, when using ACK than when its in TF. We still use ACK for a data transformation invocation from Firehose where the IAM role for firehose lets us specify the invocation permissions.

[biosugar0]

It is difficult to talk on the phone as I am not good at speaking English, but it is possible to share use cases. We have a GitOps development flow around EKS and ACK is useful to put Lambda on that flow. And the requirement related to this topic is to link Lambda and Alexa skills using ACK. To do this, we need to set up a resource-based policy. As a workaround, we would use Terraform, but it would be great if we could do this with ACK.

[ack-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[jljaco]

/remove-lifecycle stale

[ack-bot]

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[alekstr]

Wanted to revive this topic regards the "evidence", permissions are required in order for lambda to be available to trigger from sources like EventBridge, S3, cloud watch and else - https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-lambda-permissions

[ack-bot]

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

[ajitwe]

/remove-lifecycle stale

[urton]

Any updates? I also need to trigger Lambdas from S3 event notifications and I'd like to keep the configuration "contained" in K8s, but that doesn't seem possible ATM?