Comments (7)
@GavinZZ Got you. Thanks! I will take this workaround into account.
from serverless-application-model.
Thanks for opening this issue. Like you mentioned, it doesn't look like the if
is being evaluated here. Transferring to the SAM repo in case the folks there have more insight into this.
from serverless-application-model.
Thanks for creating an issue. I can confirm that I can reproduce this issue.
Unfortunately there's not much we can do because SAM does not resolve complex intrinsics and due to backward compatibility issue. A detailed explanation on why SAM doesn't resolve these intrinsics is explained here. AFAIK, resolving these intrinsics typically happens at a later stage after SAM Transform during CloudFormation create changeset step. During SAM transform, there is no way for us to figure out the value of this condition thus deciding to add the policy or not.
If this behaviour is bothering you, I would recommend providing a custom iam role and policies to the lambda function.
from serverless-application-model.
@GavinZZ What do you mean "...there's not much we can do"? 😀 This behaviour simply escalates privileges. It is a bug and you claim "we can't do anything about it"? Isn't it a program after all what ever it does (parses, transforms, etc... one-pass, two-pass, creates abstract syntax tree....)?
Imagine instead of AWSLambdaVPCAccessExecutionRole
it adds
“Statement”: [{
“Effect”: “Allow”,
“Action”: “iam:PassRole”,
“Resource”: “*”
}] }
The rule of the least privileges (AWS's motto) are violated by AWS themselves?
Well, in this particular case it does not bother too much, but I hope we won't see more severe escalations of privileges.
Thank you. 🙂
from serverless-application-model.
Hi @fade2black I understand that it is frustrating and I acknowledge it breaks the principle of least privilege. Please allow me to explain the reasoning a bit more in detail. This problem arises from a inconsiderate design issue when this is first implemented. There are are underlying issue that blocked us from fixing it.
As described in my previous comment, SAM does not have the capability to figure out the value of Fn::If
intrinsics. Without knowing the exact value, we cannot determine whether or not to add the policy or not. The proper solution here would be not, by default, add the policy (or like the pass role example you provided). I absolutely agree that this should have been the way from the first implementation.
However, we cannot proceed with this change as it could be a potentially backward incompatible changes, causing users' lambda function who rely on this behaviour to add the policy to no longer work. SAM promises to always guarantee backward compatibility and that's why we cannot proceed with this change.
One additional workaround that I just think of is to rely on the use of Transform: AWS::Serverless-2016-10-31
transform before SAM Transform, like the following:
Transform:
- AWS::LanguageExtensions
- AWS::Serverless-2016-10-31
This would resolve the intrinsics into a static value and when SAM transform the template, it knows the exact value and would hence not add the policy.
from serverless-application-model.
Closing this issue as it's not in a workable state due to backward compatibility issue. Feel free to open another issue if you have additional questions.
from serverless-application-model.
⚠️ COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
from serverless-application-model.
Related Issues (20)
- "Invalid OpenAPI input" when OpenAPI set to `3.1.0` HOT 4
- AWS SAM Connector Write needs PutObjectTagging HOT 2
- Setting the runtime of a function to nodejs20.x causes sam validate to fail. HOT 2
- AWS::Serverless::Api - setting "OpenApiVersion" causes "Stage" deployment to be skipped - why? HOT 6
- [Test] GitHub Action automatic comments on GitHub closed Issue HOT 1
- AlwaysDeploy does not include GatewayResponse updates HOT 7
- Please explain how to version AWS::Serverless::Function artifacts cleanly HOT 11
- Bug: AWS::Serverless::Function Policies partly not applied HOT 8
- Cors error from SAM template and Auth enabled. HOT 3
- VSCode SAM Schema Validation Error with !Ref in Conditions Section HOT 7
- Api CORS issue with 500 status after setup Cognito authorizer HOT 3
- Building features for AWS SAM HOT 4
- Can't reset BinaryMediaTypes to a default value for API Gateway REST API HOT 2
- AWS::Serverless::Api auto deploys API when a resource is being added HOT 4
- Environment variables not updated HOT 5
- Bug: Using a Ref in StageName is Not Working Properly - Template.yaml HOT 4
- !If not working on Serverless:Function handler HOT 5
- how to configure KMSVerifyPolicy and KMSSignPolicy HOT 1
- Feature request: Git sync HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-application-model.