By using AWS re:Post, you agree to the Terms of Use
/WAF list_web_acls works with CLI but returns empty array with Boto3 inside lambda/

WAF list_web_acls works with CLI but returns empty array with Boto3 inside lambda

0

I have some WebACLs in WAF that I want to list from a Lambda function. (I have the Regional WebACL in eu-central-1)

My lambda handler:

def lambda_handler(event, context):    
    waf_client = boto3.client(
        "wafv2",
        aws_access_key_id="SOME_ACCESS_KEY_ID",
        aws_secret_access_key="SOME_SECRET_ACCESS_KEY",
        region_name="eu-central-1"
    )
    
    return waf_client.list_web_acls(Scope="REGIONAL")

Lambda Result:

{
  "WebACLs": [],
  "ResponseMetadata": {...}
}

CLI command that works: aws wafv2 list-web-acls --scope=REGIONAL --region=eu-central-1

Result:

{
    "NextMarker": "something",
    "WebACLs": [
        {
            "Name": "something",
            "Id": "hash1",
            "Description": "",
            "LockToken": "hash2",
            "ARN": "arn:aws:wafv2:eu-central-1:accountid:regional/webacl/something/hash1"
        }
    ]
}

Am I missing something here or the Boto3 WAF client is not behaving as expected?

1 Answers
0
Accepted Answer

I can't see a good reason why that doesn't work. Unless the account details you're using at the CLI aren't the same as in the Lambda function. You can use aws sts get-caller-identity and the equivalent boto3 call to confirm.

Note that you don't have to supply credentials within a Lambda function - it's much better practice to create a role which has the right permissions for that Lambda function specifically so that you don't have hard-coded credentials. If you're making cross-account calls then you can do that too.

EXPERT
answered a month ago
  • Removing the credentials resolved the problem as my lambda role already had AWSWAFReadOnlyAccess. Thanks for the swift response!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions