Hey!
I have a policy statement for allowing an assumed role via web identity. It works fine. I have a role which this policy is attached to with permissions to invoke a lambda function. I can invoke a Lambda function with this role in AWS.
Here's my question - when invoking a lambda function via the web identity assumed rule (hypothetically let's say GCP) - it tells me that no policy allows me to invoke the lambda function - but that I have assumed the role. When I edit the specific policy for the web identity role assumption to also include the invoke the lamba function - this works fine.
The workaround seems fine - but my understanding is that I shouldn't need it. My role having the invoke lambda policy - and my web identity policy allowing me to assume that role - should be enough -no? Is there a quick refresher on why I need the secondary policy grant in the web identity grant?
Hey - I think the way I'm seeing it - my external account is assuming the role.
role includes policy statements 1-5 (which includes lambda trust policy/invoke lambda/web identity policy)
I thought the Role w. attached policy bundle would be enough to provide the web identity the lambda invoke role? I'll double check on my end if I misconfigured something. Right now - it looked like the Lambda resource permissions had to be placed in the web identity policy itself (vs the role).