Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(lambda): add grantInvokeLatestVersion to grant invoke only to la…
…test function version (#29856) ### Issue # (if applicable) Closes #20177 ### Reason for this change `fn.grantInvoke()` will grant invoke permission to invoke both the latest version and all pervious version of the lambda function. We can see this behavior could bring some security concern for some of our customers. ### Description of changes We provides a new function `fn.grantInvokeLatestVersion()` to grant invoke only to the Latest version of function and the unqualified lambda arn Example: ```ts // Grant permissions to a service declare const fn: lambda.Function; const principal = new iam.ServicePrincipal('my-service'); fn.grantInvokeLatestVersion(principal); ``` ### Description of how you validated changes Added unit tests and integration tests. When using `fn.grantInvokeLatestVersion()` granted principle to invoke a function's past version, it will get the following error: ``` An error occurred (AccessDeniedException) when calling the Invoke operation: User: {$principle} is not authorized to perform: lambda:InvokeFunction on resource: {$LambdaArn:$version} because no identity-based policy allows the lambda:InvokeFunction action ``` ### Alternative design (to discuss) setup a `grantInvokeProp` including `grantVersionAccess` flag to pass in the `grantInvokeLatestVersion` instead using `grantVersionAccess` flag directly on `grantInvokeLatestVersion` -> This is discussed in the comments, I agree having props will have future extensibility but usually for grant methods specifically we haven't seen before. So we will not add prop to the new function `grantInvokeLatestVersion` ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
- Loading branch information