dotnet lambda deploy-function fails when *** No policy, add permissions later *** is chosen

[bjhogan]

Describe the bug

When deploying a Lambda function using dotnet lambda deploy-function, an error occurs if the option No policy, add permissions later is chosen.

21) *** No policy, add permissions later ***
21
Unknown error executing command: Object reference not set to an instance of an object.
   at Amazon.Common.DotNetCli.Tools.RoleHelper.ExpandManagedPolicyName(IAmazonIdentityManagementService iamClient, String managedPolicy) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 112
   at Amazon.Common.DotNetCli.Tools.RoleHelper.CreateRole(IAmazonIdentityManagementService iamClient, String roleName, String assumeRolePolicy, String[] managedPolicies) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 144
   at Amazon.Common.DotNetCli.Tools.RoleHelper.PromptToCreateRole(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 432
   at Amazon.Common.DotNetCli.Tools.RoleHelper.SelectFromExisting(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo, IList`1 existingRoles) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 393
   at Amazon.Common.DotNetCli.Tools.RoleHelper.PromptForRole(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 370
   at Amazon.Common.DotNetCli.Tools.Commands.BaseCommand`1.GetRoleValueOrDefault(String propertyValue, CommandOption option, String assumeRolePrincipal, String awsManagedPolicyPrefix, Dictionary`2 knownManagedPolicyDescription, Boolean required) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\Commands\BaseCommand.cs:line 368
   at Amazon.Lambda.Tools.Commands.DeployFunctionCommand.PerformActionAsync() in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Lambda.Tools\Commands\DeployFunctionCommand.cs:line 271
   at Amazon.Common.DotNetCli.Tools.Commands.BaseCommand`1.ExecuteAsync() in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\Commands\BaseCommand.cs:line 46

Expected Behavior

The function deploys with a role that has no policy attached.

Current Behavior

Unknown error executing command: Object reference not set to an instance of an object.
   at Amazon.Common.DotNetCli.Tools.RoleHelper.ExpandManagedPolicyName(IAmazonIdentityManagementService iamClient, String managedPolicy) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 112
   at Amazon.Common.DotNetCli.Tools.RoleHelper.CreateRole(IAmazonIdentityManagementService iamClient, String roleName, String assumeRolePolicy, String[] managedPolicies) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 144
   at Amazon.Common.DotNetCli.Tools.RoleHelper.PromptToCreateRole(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 432
   at Amazon.Common.DotNetCli.Tools.RoleHelper.SelectFromExisting(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo, IList`1 existingRoles) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 393
   at Amazon.Common.DotNetCli.Tools.RoleHelper.PromptForRole(IAmazonIdentityManagementService iamClient, PromptRoleInfo promptInfo) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\RoleHelper.cs:line 370
   at Amazon.Common.DotNetCli.Tools.Commands.BaseCommand`1.GetRoleValueOrDefault(String propertyValue, CommandOption option, String assumeRolePrincipal, String awsManagedPolicyPrefix, Dictionary`2 knownManagedPolicyDescription, Boolean required) in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\Commands\BaseCommand.cs:line 368
   at Amazon.Lambda.Tools.Commands.DeployFunctionCommand.PerformActionAsync() in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Lambda.Tools\Commands\DeployFunctionCommand.cs:line 271
   at Amazon.Common.DotNetCli.Tools.Commands.BaseCommand`1.ExecuteAsync() in C:\codebuild\tmp\output\src455250883\src\src\Amazon.Common.DotNetCli.Tools\Commands\BaseCommand.cs:line 46

Reproduction Steps

Create a Lambda function with the lambda.EmptyFunction template.

Run dotnet lambda deploy-function -fn SomeFunction

When asked to "Select IAM Role", choose Create new IAM Role . Enter a role name.

When asked to "Select IAM Policy to attach", choose No policy, add permissions later .

Exception occurs.

Possible Solution

Guard for null or empty managedPolicy in RoleHelper.cs CreateRole(..)

Additional Information/Context

No response

Targeted .NET platform

.NET 6

CLI extension version

amazon.lambda.tools 5.4.4 dotnet-lambda (error output is from this version) amazon.lambda.tools 5.0.1 dotnet-lambda

Environment details (OS name and version, etc.)

Windows 10, Ubuntu 18.04

[ashishdhingra]

Reproducible.

Possible fix: Handle null while iterating through managed policies at RoleHelper.CreateRole() and calling ExpandManagedPolicyName(). Also handle null while trying to attach policy later before trying to execute IamClient.AttachRolePolicyAsync().

[ashishdhingra]

Fixed in Amazon.Lambda.Tools version 5.4.5.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.