Lambda: Implement cross-account access #8195
Conversation
This reverts commit acf951b.
viren-nadkarni
force-pushed
the
lambda-cross-accounts
branch
from
dfd04b8 to
dcd931b
Compare
viren-nadkarni
force-pushed
the
lambda-cross-accounts
branch
from
ccbd481 to
37e09df
Compare
Lambda function retrievals must be made with same context region as the ARN.
| @@ -54,7 +55,7 @@ | |||
|
|
|||
| # Pattern for extracting various attributes from a full or partial ARN or just a function name. | |||
| FUNCTION_NAME_REGEX = re.compile( | |||
| r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?P<account>\d{12}:)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST|[a-zA-Z0-9-_]+))?" | |||
| r"(arn:(aws[a-zA-Z-]*):lambda:)?((?P<region>[a-z]{2}(-gov)?-[a-z]+-\d{1}):)?(?:(?P<account>\d{12}):)?(function:)?(?P<name>[a-zA-Z0-9-_\.]+)(:(?P<qualifier>\$LATEST|[a-zA-Z0-9-_]+))?" | |||
There was a problem hiding this comment.
Before this change, the regex used to capture the : as part of the account ID
viren-nadkarni
requested review from
joe4dev,
dfangl and
dominikschubert
as code owners
viren-nadkarni
added
the
semver: minor
|
@viren-nadkarni Looking forward to cross-account support for Lambda 🚀 Lambda layers are not in the list because the AWS documentation dedicates a separate section to them here: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountlayer
There are a couple of TODOs related to IAM in |
viren-nadkarni
force-pushed
the
lambda-cross-accounts
branch
from
593408b to
2399a17
Compare
viren-nadkarni
force-pushed
the
lambda-cross-accounts
branch
from
2399a17 to
07ac492
Compare
Policy operations don't work across accounts in the old provider
|
@joe4dev: Thanks for highlighting that! I've added cross-account access support for the layer operations along with the tests. The scope is currently limited to retrievals only. Actual IAM enforcement will be added in a later PR. |
There was a problem hiding this comment.
Great work making lambda ready for cross account access!
Just some minor nits, it is good to merge once they are addressed (from my side).
In general, it would be nice to be able to perform aws validated cross account tests, what do you think @dominikschubert , is there some way to facilitate this?
| layer_version_arn = api_utils.layer_version_arn( | ||
| layer_name, context.account_id, context.region, str(version_number) | ||
| ) | ||
| region_name, account_id, layer_n, _ = LambdaProvider._resolve_layer(layer_name, context) |
There was a problem hiding this comment.
Why use layer_n instead of layer_name here suddenly? I actually had to think a second there what that is supposed to mean.
There was a problem hiding this comment.
layer_name is the function argument and can contains either the layer name or layer ARN. This is user-provided and error messages are generated accordingly.
layer_n contains the layer name and is named so to avoid overwriting 🔝
I've added a comment to clarify this in 8c402e1
| @@ -3128,14 +3147,12 @@ def delete_layer_version( | |||
| if version_number < 1: | |||
| raise InvalidParameterValueException("Layer Version Cannot be less than 1", Type="User") | |||
|
|
|||
| # TODO: test cross-region? (e.g. with functions it doesnt work and raises an exception) | |||
There was a problem hiding this comment.
This does not seem tested now, are we sure this works? Otherwise we might not want to remove that TODO
There was a problem hiding this comment.
We generally allow cross-region access in LocalStack, except in Lambda where it is snapshot tested
Layers currently allows cross-region in LS, so I've removed the comments
There was a problem hiding this comment.
Yes, the point of that comment was however to snapshot test if it is possible in aws or not, and apply the restrictions.
I'm actually working on this. #8204 will update our test strategy to use a non-standard account ID. As you can see from the failing tests, a lot of our services are not cross-account ready. I'll be going through all the services and update the cross-accounts logic. This is a huge undertaking and will be done in a series of PRs, starting with #8223 (for sqs) and #8235 (for lambda). |
Summary
This PR adds support for cross-account access to Lambda functions and layers.
Specifically, following operations:
This is a prerequisite for cross-account IAM policy enforcement.
Related
https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html#permissions-resource-xaccountinvoke