Skip to content

aws-lambda: addPermission doesn't allow overriding auto-generated statement ID #34219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
garysassano opened this issue Apr 22, 2025 · 4 comments
Open

aws-lambda: addPermission doesn't allow overriding auto-generated statement ID #34219

garysassano opened this issue Apr 22, 2025 · 4 comments
Labels
@aws-cdk/aws-lambda Related to AWS Lambda feature-request A feature should be added or improved.

Comments

@garysassano
Copy link
Contributor

garysassano commented Apr 22, 2025
edited
Loading

Description

When using addPermission method on a Lambda function, CDK generates a resource-based policy statement with an auto-generated statement ID that begins with the construct path. There is currently no way to override this behavior and specify a custom statement ID that will be used in the actual AWS resource.

Current Behavior

When calling addPermission with a statement ID like:

myFunction.addPermission("AllowCWL", {
  principal: new ServicePrincipal("logs.amazonaws.com"),
  action: "lambda:InvokeFunction",
  sourceArn: `arn:aws:logs:${this.region}:${this.account}:log-group:*`,
  sourceAccount: this.account,
});

The statement ID in the actual Lambda resource-based policy becomes something like:
<stack-name>-<function-name><policy-logic-id><random-id>

As seen in the AWS Console:

Image

Expected Behavior

The addPermission method should have an optional property to specify the exact statement ID to use in the deployed resource-based policy. For example:

myFunction.addPermission("AllowCWL", {
  principal: new ServicePrincipal("logs.amazonaws.com"),
  action: "lambda:InvokeFunction",
  sourceArn: `arn:aws:logs:${this.region}:${this.account}:log-group:*`,
  sourceAccount: this.account,
  statementId: "AllowCWL" // <-- Proposed property to override the auto-generated ID
});

Additional Information

The AWS Lambda API itself allows specifying the statement ID directly when adding permissions. This feature request is to expose this capability through the CDK API.

AWS Lambda API vs. CDK Implementation

Lambda API Behavior

  • The native AddPermission API requires a user-specified StatementId parameter
  • This ID must be unique within the function's policy
  • Manual AWS CLI command example: 
    aws lambda add-permission \
  --function-name my-function \
  --action lambda:InvokeFunction \
  --statement-id AllowCWL \
  --principal logs.amazonaws.com \
  --source-arn arn:aws:logs:us-west-2:123456789012:log-group:* \
  --source-account 123456789012

CDK Current Implementation

  • CDK auto-generates statement IDs using construct paths and logical IDs
  • Generated IDs follow pattern: <stack-name>-<function-name><policy-logic-id><random-id>
  • No exposed statementId property in Permission interface: 
    // Current CDK interface (simplified)
interface Permission {
  principal: IPrincipal;
  action?: string;
  sourceArn?: string;
  // Missing statementId property
}

// Proposed solution would require
interface Permission {
  // ...existing properties
  statementId?: string; // New optional property
}

Current Workaround (Complex and Fragile)

// Using escape hatch to modify generated policy
const cfnFunc = myFunction.node.defaultChild as lambda.CfnFunction;
cfnFunc.addOverride('Properties.Policy.Statement.0.Sid', 'CustomID');

CDK CLI Version

2.190.0

Framework Version

No response

Node.js Version

22.14.0

OS

Ubuntu 24.04

Language

TypeScript

Language Version

No response

Other information

No response
@garysassano garysassano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 22, 2025
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Apr 22, 2025
@ykethan
Copy link
Contributor

ykethan commented Apr 23, 2025

Hey @garysassano , Thanks for reporting this issue. The requested change would require modifications to two key files:

In packages/aws-cdk-lib/aws-lambda/lib/permission.ts, we'd need to add the statementId property to the Permission interface:

export interface Permission {
  /**
   * The statement ID to use for this permission statement. If not provided,
   * CDK will auto-generate an ID using the construct path.
   * 
   * @default - Auto-generated using construct path and a random suffix
   */
  readonly statementId?: string;

  // ... existing properties ...
}

In packages/aws-cdk-lib/aws-lambda/lib/function-base.ts, we'd need to modify the addPermission implementation to use the provided statementId when creating the CfnPermission:

public addPermission(id: string, permission: Permission) {
  // ... existing checks ...

  new CfnPermission(scope, id, {
    action,
    principal,
    functionName: this.functionArn,
    sid: permission.statementId ?? id,  // Use provided statementId or fallback to id
    eventSourceToken: permission.eventSourceToken,
    sourceAccount: permission.sourceAccount ?? sourceAccount,
    sourceArn: permission.sourceArn ?? sourceArn,
    principalOrgId: permission.organizationId ?? principalOrgID,
    functionUrlAuthType: permission.functionUrlAuthType,
  });
}

This would allow users to control the statement ID while maintaining backward compatibility with the current auto-generation behavior.

I am making this a p2 feature request and any PR would be appreciated!

@ykethan ykethan added p2 feature-request A feature should be added or improved. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Apr 23, 2025
@ykethan
Copy link
Contributor

ykethan commented Apr 23, 2025

@garysassano on diving further into this, noticed the statement-id is currently not provided on AWS::Lambda::Permission CloudFormation resource.
But is currently supported on AWS CLI and AWS SDK.
https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html
https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html

I would suggest opening a issue on cloudformation-coverage-roadmap repository to track this implementation.

Internal ticket for tracking: V1751760064

@ykethan ykethan added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. and removed p2 labels Apr 23, 2025
@garysassano garysassano mentioned this issue Apr 23, 2025
Open
@github-actions GitHub Actions
Copy link
Contributor

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Apr 25, 2025
@garysassano
Copy link
Contributor Author

keep

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-lambda Related to AWS Lambda feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@garysassano @ykethan