Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFront: Lambda edge service principal requires for Lambda association #5180

Closed
rix0rrr opened this issue Nov 25, 2019 · 0 comments · Fixed by #5191
Closed

CloudFront: Lambda edge service principal requires for Lambda association #5180

rix0rrr opened this issue Nov 25, 2019 · 0 comments · Fixed by #5191
Assignees
@eladb
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p1

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 25, 2019

Integ test integ.cloudfront-lambda-association.js for CloudFront does not deploy properly anymore, probably because CloudFront has tightened up their validation checks:

 5/6 | 11:27:59 AM | CREATE_FAILED        | AWS::CloudFront::Distribution | MyDistribution/CFDistribution (MyDistributionCFDistributionDE147309
) The function execution role must be assumable with edgelambda.amazonaws.com as well as lambda.amazonaws.com principals. Update the IAM role a
nd try again. Role: arn:aws:iam::123456789:role/aws-cdk-cloudfront-LambdaServiceRoleA8ED4D3B-1BALB6KE3O0MN (Service: AmazonCloudFront; Statu
s Code: 400; Error Code: InvalidLambdaFunctionAssociation; Request ID: 965db162-0c49-11ea-9d8a-bff40bbb21ec)

This is 🐛 Bug Report
@rix0rrr rix0rrr added bug This issue is a bug. @aws-cdk/aws-cloudfront Related to Amazon CloudFront needs-triage This issue or PR still needs to be triaged. labels Nov 25, 2019
@eladb eladb added the p1 label Nov 26, 2019
@eladb eladb changed the title CloudFront: Lambda association integ test does not work CloudFront: Lambda edge service principal requires for Lambda association Nov 26, 2019
@eladb eladb added the in-progress This issue is being actively worked on. label Nov 26, 2019
eladb pushed a commit that referenced this issue Nov 26, 2019
fix(cloudfront): associated lambda role requires edgelambda.amazonaws…
bc84e5a 
….com

When using AWS Lambda associations, CloudFront now requires that the AWS Lambda execution role will also trust edgelambda.amazonaws.com. This change adds a statement to the Lambda's trust policy to that effect.

Fixes #5180
@eladb eladb mentioned this issue Nov 26, 2019
Merged
@mergify mergify bot closed this as completed in #5191 Nov 26, 2019
mergify bot pushed a commit that referenced this issue Nov 26, 2019
@mergify
fix(cloudfront): associated lambda role requires edgelambda.amazonaws…
173d886 
….com (#5191)

* fix(cloudfront): associated lambda role requires edgelambda.amazonaws.com

When using AWS Lambda associations, CloudFront now requires that the AWS Lambda execution role will also trust edgelambda.amazonaws.com. This change adds a statement to the Lambda's trust policy to that effect.

Fixes #5180

* add unit tests
@iliana iliana mentioned this issue Aug 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eladb eladb

Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(cloudfront): associated lambda role requires edgelambda.amazonaws.com aws/aws-cdk
2 participants
@rix0rrr @eladb