Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Need help using Annotation to ack an error with a lambda

0

Here is the warning:

[Warning at /CoreStack/S3Resources/FactsetNewDocumentLambda] addPermission() has no effect on a Lambda Function with region=us-east-1, account=471112525756, in a Stack with region=us-east-1, account=362454057537. Suppress this warning if this is is intentional, or pass sameEnvironment=true to fromFunctionAttributes() if you would like to add the permissions. [ack: UnclearLambdaEnvironment]

Here is the code:

 // The following somehow produces an attempt to addPermission to the lambda, which fails,
    // because it lives in another account. All the permissions are set up in the environment
    // where it is created.
    const stagingLambda = aws_lambda.Function.fromFunctionArn(
      this,
      "FactsetNewDocumentLambda",
      "arn:aws:lambda:us-east-1:471112525756:function:FactsetNewDocumentHandler",
    );
    Annotations.of(stagingLambda).acknowledgeWarning(
      "UnclearLambdaEnvironment",
      "This warning is intentional and reviewed.",
    );

The annotation is not suppressing the warning.

Topics
AWS Cloud Development Kit (CDK)Developer Tools
Tags
AWS Cloud Development Kit (CDK)Developer Tools
Language
English
asked 8 months ago149 views
2 Answers
0

Here is the correct code:

    const stagingLambda = aws_lambda.Function.fromFunctionAttributes(
      this,
      "MyLambda",
      {
        functionArn:
          "arn:aws:lambda:us-east-1:aaaaaaaaaaaa:function:nnnnnnnnnnnn",
        skipPermissions: true,
      },
    );
answered 8 months ago
-1

The warning you're seeing is related to cross-account Lambda permissions. When you use Function.fromFunctionArn() to reference a Lambda function in another AWS account, the CDK tries to add permissions to that function but can't because it's in a different account.

Your annotation isn't working because you need to use the correct warning ID format. The warning ID "UnclearLambdaEnvironment" doesn't match the actual ID in the warning message.

To properly suppress this warning, you should modify your code to either:

  1. Use the exact warning ID as shown in the message:
Annotations.of(stagingLambda).acknowledgeWarning(
"addPermission() has no effect on a Lambda Function with region=us-east-1, account=471112525756, in a Stack with region=us-east-1, account=362454057537",
"This warning is intentional and reviewed."
);

Or, a better approach would be to:

  1. Pass the sameEnvironment: false parameter when creating the function reference:
const stagingLambda = aws_lambda.Function.fromFunctionArn(
this,
"FactsetNewDocumentLambda",
"arn:aws:lambda:us-east-1:471112525756:function:FactsetNewDocumentHandler",
{ sameEnvironment: false }
);

This explicitly tells CDK that the Lambda function is in a different environment and not to attempt adding permissions to it.
Sources
Config rule with custom lambda permission issue | AWS re:Post
Granting Lambda function access to other accounts - AWS Lambda
Lambda examples using AWS CLI - AWS SDK Code Examples

answered 8 months ago
  • bimargulies
    8 months ago

    The code in here doesn't even compile.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content