Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bug: Lambda with IAM doesn't use role when accessing other resources #6329

New issue
New issue
Closed
Closed
bug: Lambda with IAM doesn't use role when accessing other resources#6329
Assignees
dfangl
Labels
aws:iamAWS Identity and Access Managementaws:lambdaAWS Lambdatype: featureNew feature, or improvement to an existing feature
@Nanway

Description

@Nanway
Nanway
opened on Jun 23, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have provisioned an API gateway with a lambda on my localstack pro, IAM enabled, container.

This lambda does some simple dynamodb calls. When I try to invoke the lambda with:

awslocal apigateway test-invoke-method --rest-api-id 77ux6xv5wo --resource-id 7klf82ga0b --http-method POST --body '{"ddb_quantity" : 3, "is_local": true}'

It results in the following error:

{
    "status": 500,
    "body": "{\"errorType\": \"OperationError\", \"errorMessage\": \"operation error DynamoDB: GetItem, https response error StatusCode: 403, RequestID: , api error AccessDeniedException: Access to the specified resource is denied\"}",
    "headers": {
        "Content-Type": "text/html; charset=utf-8",
        "Content-Length": "212"
    }
}

If I don't enforce IAM or deploy the same set of resources to AWS it works fine.

Expected Behavior

I expect the lambda to be able to access dynamodb since it has been given a role that should grant it read/ write capability on the table. In addition, deploying the same thing in real AWS or with IAM disabled works.

How are you starting LocalStack?

With a docker run command

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

	docker run --name ${LOCALSTACK_CONTAINER_NAME} \
		-e LOCALSTACK_API_KEY \
		-e KMS_PROVIDER=local-kms \
		-e SERVICES="${LocalStackServices}" \
		-e DEBUG=1 \
		-e LAMBDA_EXECUTOR=docker \
		-e LS_LOG \
		-e DISABLE_EVENTS=1 \
		-e ENFORCE_IAM=1 \
		-p4566:4566 \
		-p4510:4510 \
		-v "${LOCALSTACK_KMS_SEED}:/init/seed.yaml" -d \
		-v "/var/run/docker.sock:/var/run/docker.sock" \
		localstack/localstack@sha256:${LocalStackImageDigest}

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

This is the code inside the lambda:

        awsCfg, err := LoadAWSConfig(ctx, req.IsLocal) // This function points the aws endpoint at the localhost url 
	if err != nil {
		return "", fmt.Errorf("cannot load AWS config: %w", err)
	}
	client := dynamodb.NewFromConfig(awsCfg)
	// Get current cat count
	keyMap := map[string]string{
		"user_id":         "foo",
		"subscription_id": "bar",
	}
	key, err := attributevalue.MarshalMap(keyMap)
	if err != nil {
		return "", err
	}
	getInput := &dynamodb.GetItemInput{
		Key:       key,
		TableName: &table,
	}
        item, err := client.GetItem(ctx, getInput)
	if err != nil {
		return "", err
	}

The result of aws lambda list-functions

    "Functions": [
        {
            "FunctionName": "01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
            "FunctionArn": "arn:aws:lambda:us-east-1:000000000000:function:01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
            "Runtime": "go1.x",
            "Role": "arn:aws:iam::000000000000:role/01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
            "Handler": "main",
            "CodeSize": 6682858,
            "Description": "TODO",
            "Timeout": 60,
            "MemorySize": 512,
            "LastModified": "2022-06-23T05:54:20.256+0000",
            "CodeSha256": "Wk6Auiv8iIWSHBN33w6ycvho6j9Ri/HtREGv2bjLBlQ=",
            "Version": "$LATEST",
            "VpcConfig": {
                "SubnetIds": [],
                "SecurityGroupIds": []
            },
            "Environment": {
                "Variables": {
                    "AWS_ENDPOINT": "http://localhost:4566",
                    "AWS_REGION": "us-east-1",
                }
            },
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "5eca8dc6-5c09-4bd8-b41b-782eec509f6c",
            "Layers": [],
            "State": "Active",
            "LastUpdateStatus": "Successful",
            "PackageType": "Zip",
            "Architectures": [
                "x86_64"
            ]
        }

The result of of aws iam list-role-policies --role-name 01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer

{
    "PolicyNames": [
        "AllowDDBRead01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-subscriptionsrole01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
        "AllowDDBWrite01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-subscriptionsrole01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
        "secretreadpermissions01G67HX9X5BW74FCDM4MG5V61X-dev-shard-1-deployer",
        "terraform-20220623055419332900000001"
    ]
}

Let me know if you want me to post the permissions as part of these policies - but given that the exact same setup works in AWS or without IAM enablement brings me to think that this is some localstack IAM enabled issue for a lambda within a container.

Environment

- OS: 
ProductName:	macOS
ProductVersion:	11.6.4
BuildVersion:	20G417

- LocalStack: 0.14.3.1

Anything else?

No response

Metadata

Metadata

Assignees

Labels

aws:iamAWS Identity and Access Managementaws:lambdaAWS Lambdatype: featureNew feature, or improvement to an existing feature

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions