Replies: 3 comments 2 replies
-
Looks like it works this way, but it is a little verbose... this.bucket.addToResourcePolicy(new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['s3:GetObject', 's3:PutObject'],
principals: [new iam.ArnPrincipal(originResponseFunction.edgeArn)],
})); Wrong! It "works" at compile and diff, but crashes on deploy: Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy) |
Beta Was this translation helpful? Give feedback.
-
Another possible solution would be to manually create the Lambda role: const lambdaRole = new iam.Role(this, 'LambdaExecutionRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
managedPolicies: [iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")],
});
this.bucket.grantReadWrite(lambdaRole); Wrong! It crashed as it complains of circular dependency between stacks...
I'm running out of ideas... |
Beta Was this translation helpful? Give feedback.
-
Are there any updates to this? In general we want to deploy a lambda@edge (us-east-1) which gets read access to an encrypted S3 bucket in another region (like eu-west-2). The simples code example we tried is posted below: Error:
Synth and deploy command
Code Example:import { App, RemovalPolicy, Stack, StackProps } from 'aws-cdk-lib';
import { experimental } from 'aws-cdk-lib/aws-cloudfront';
import { Key } from 'aws-cdk-lib/aws-kms';
import { Architecture, Code, Runtime } from 'aws-cdk-lib/aws-lambda';
import {
BlockPublicAccess,
Bucket,
BucketEncryption,
ObjectOwnership
} from 'aws-cdk-lib/aws-s3';
import { Construct } from 'constructs';
class MyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const myEdgeFunction = new experimental.EdgeFunction(
this,
'myEdgeFunction',
{
runtime: Runtime.NODEJS_20_X,
architecture: Architecture.X86_64,
handler: 'index.handler',
code: Code.fromInline(`
exports.handler = async () => {
return {
statusCode: 200,
body: JSON.stringify({ message: "Version: 1" })
};
};
`)
}
);
const myKey = new Key(this, 'myKey', {
enableKeyRotation: true,
multiRegion: true
});
const myBucket = new Bucket(this, 'MyBucket', {
removalPolicy: RemovalPolicy.DESTROY,
blockPublicAccess: BlockPublicAccess.BLOCK_ALL,
versioned: true,
objectOwnership: ObjectOwnership.BUCKET_OWNER_PREFERRED,
encryptionKey: myKey,
encryption: BucketEncryption.KMS,
autoDeleteObjects: true
});
myBucket.grantRead(myEdgeFunction);
}
}
const app = new App();
const myStack: MyStack = new MyStack(app, 'MyStack', {
env: { account: '11111', region: 'eu-west-2' }, // region other than us-east-1
crossRegionReferences: true
}); |
Beta Was this translation helpful? Give feedback.
-
I'm creating some infrastructure in
eu-west-1
region, andEdgeFunction
creates the Lambda's inus-east-1
region.Everything works like a charm, except when I try to grant the function read and write access to the bucket, it crashes with this error and don't know what to do:
My stack (simplified) looks like this:
Beta Was this translation helpful? Give feedback.
All reactions