By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

lambda permissions: source arn cannot have wildcard for region

0

I'm trying to add a permission to a (regular) lambda for another lambda@edge's loggroups subscription. Since the loggroups are being created by lambda@edge in their respective region I need a permission for every region. It would be simpler to make the permission work for any region in that account and function.

Example code that fails:

await lambdaClient.send(
    new AddPermissionCommand({
        StatementId: `${lambdaEdgeFunctionName}-subscription-permission`,
        FunctionName: loggroupSubscriptionTargetFunctionName,
        Principal: "logs.amazonaws.com",
        SourceArn: `arn:aws:logs:*:${accountId}:log-group:/aws/lambda/us-east-1.${lambdaEdgeFunctionName}:*`,
        Action: "lambda:InvokeFunction",
    })
)

Since above command fails the regex check I have to add a permission for every region the lambda@edge will be run in.

SourceArn (that works)

`arn:aws:logs:us-east-1:${accountId}:log-group:/aws/lambda/us-east-1.${lambdaEdgeFunctionName}:*`

aws error message: at 'sourceArn' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z0-9-]*):([a-zA-Z0-9\-])+:([a-z]{2}((-gov)|(-iso(b?)))?-[a-z]+-\d{1})?:(\d{12})?:(.*)
different related github issue: https://github.com/hashicorp/terraform-provider-aws/issues/9972

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
willbender-wurl
asked 2 years ago1243 views
1 Answer
1

Hi,

Thanks for sharing your steps and the error which is being returned. However, I would like to clarify that this is indeed expected behavior. The source arn for the Lambda resource policy cannot have a wildcard region or account ID which is why we are getting this error when using the AddPermission API.

I do see that there is an existing feature request which aims to add the functionality of using wildcards in the region or account ID. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New and Blog pages for any new feature announcements.

AWS
SUPPORT ENGINEER
Ryan_A
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content