search

aws / serverless-application-model

The AWS Serverless Application Model (AWS SAM) transform is a AWS CloudFormation macro that transforms SAM templates into CloudFormation templates.
https://aws.amazon.com/serverless/sam
Apache License 2.0
9.32k stars 2.38k forks source link

Function.FunctionUrlConfig generates incorrect policy for aliased function #2373

Closed aidansteele closed 2 years ago

aidansteele commented 2 years ago

Description:

I have created a function that has an alias and URL configuration with the following template:

Transform: AWS::Serverless-2016-10-31

Resources:
  Function:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./bootstrap
      Architectures: [arm64]
      Runtime: provided.al2
      Handler: unused
      AutoPublishAlias: live # notice defined alias
      FunctionUrlConfig:
        AuthType: NONE

This is the template after the serverless transformation. Note that the 7th line is incorrectly referencing the function and not the function's alias.

Resources:
  FunctionUrlPublicPermissions:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunctionUrl
      FunctionName:
        Ref: Function # this should be Ref: FunctionAliaslive
      Principal: "*"
      FunctionUrlAuthType: NONE
  FunctionUrl:
    Type: AWS::Lambda::Url
    Properties:
      TargetFunctionArn:
        Ref: FunctionAliaslive
      AuthType: NONE
  Function:
    Type: AWS::Lambda::Function
    Properties:
      Code:
        S3Bucket: stackit-ap-southeast-2-0123465690
        S3Key: urlshenanigans/bootstrap.zip/b15b257b4b1d56015ffb6160f1564d2e
        S3ObjectVersion: ThuT.NfqNqrs7apqjJT7nb9P4ox8TpiT
      Handler: unused
      Role:
        Fn::GetAtt:
          - FunctionRole
          - Arn
      Runtime: provided.al2
      Timeout: 30
      Tags:
        - Key: lambda:createdBy
          Value: SAM
      Architectures:
        - arm64
  FunctionVersionbe0cebe936:
    Type: AWS::Lambda::Version
    DeletionPolicy: Retain
    Properties:
      FunctionName:
        Ref: Function
  FunctionAliaslive:
    Type: AWS::Lambda::Alias
    Properties:
      Name: live
      FunctionName:
        Ref: Function
      FunctionVersion:
        Fn::GetAtt:
          - FunctionVersionbe0cebe936
          - Version
  FunctionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Tags:
        - Key: lambda:createdBy
          Value: SAM

Observed result:

Accessing the function URL yields a Forbidden error.

Expected result:

Accessing the function URL should be allowed.

qingchm commented 2 years ago

Thanks for reporting this in, please allow us some time to start investigating and reproducing the issue!

jfuss commented 2 years ago

Closing this as a duplicate of #2386. Only reason to close this one for a newer one is that #2386 has some back and forth on it.

Closing.