What is the problem?
Triggerring a Lambda from Kinesis requires permissions to GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions.
However, Stream.grantRead adds DescribeStreamSummary, GetRecords, GetShardIterator, ListShards, SubscribeToShard permissions
Reproduction Steps
const myRole = new Role(
this,
`MyLambdaRole`,
{
assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName(
"service-role/AWSLambdaBasicExecutionRole"
),
],
}
);
const stream = new Stream(this, 'MyStream')
stream.grantRead(myRole);
const myLambda = new CfnFunction(this, "Function", {
.
.
role: myRole
});
myLambda.events = {
KinesisEvent: {
type: "Kinesis",
properties: {
batchSize: batchSize,
stream: stream.streamArn,
startingPosition: "TRIM_HORIZON",
},
},
};
What did you expect to happen?
I expected the role to have a policy that has all the permissions that allows the Lambda to read from Kinesis stream
What actually happened?
I get an error from cloudformation that says
Resource handler returned message: "Invalid request provided: Cannot access stream arn:aws:kinesis:us-east-1:1234567890:stream/MyStreamC66D1FC9-mn38ndr4HWsj. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions o n your stream in IAM. (Service: Lambda, Status Code: 400, Request ID: 5f430c94-26b4-4125-8d80-3d376b1f4ce7, Extended Request ID: null)" (RequestToken: 8a89b5a0-758a-bfcb-5 9e1-2fcb44acdcca, HandlerErrorCode: InvalidRequest)
On further digging
"MyroleFromArnPolicyD12FCCED": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"kinesis:DescribeStreamSummary",
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:ListShards",
"kinesis:SubscribeToShard"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyStream6A3D4C36",
"Arn"
]
}
},
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MyStreamKey6C0AB7AE",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "MyroleFromArnPolicyD12FCCED",
"Roles": [
{
"Fn::Select": [
1,
{
"Fn::Split": [
"/",
{
"Fn::Select": [
5,
{
"Fn::Split": [
":",
{
"Fn::GetAtt": [
"MyLambdaRoleFC0D8190",
"Arn"
]
}
]
}
]
}
]
}
]
}
]
},
"Metadata": {
"aws:cdk:path": "FaaCatFAST-Infra-jlalwani-alpha-us-east-1/MyLambda/roleFromArn/Policy/Resource"
}
},
CDK CLI Version
3.0
Framework Version
No response
Node.js Version
14
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response
What is the problem?
Triggerring a Lambda from Kinesis requires permissions to GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions.
However,
Stream.grantReadadds DescribeStreamSummary, GetRecords, GetShardIterator, ListShards, SubscribeToShard permissionsReproduction Steps
What did you expect to happen?
I expected the role to have a policy that has all the permissions that allows the Lambda to read from Kinesis stream
What actually happened?
I get an error from cloudformation that says
Resource handler returned message: "Invalid request provided: Cannot access stream arn:aws:kinesis:us-east-1:1234567890:stream/MyStreamC66D1FC9-mn38ndr4HWsj. Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, ListShards, and ListStreams Actions o n your stream in IAM. (Service: Lambda, Status Code: 400, Request ID: 5f430c94-26b4-4125-8d80-3d376b1f4ce7, Extended Request ID: null)" (RequestToken: 8a89b5a0-758a-bfcb-5 9e1-2fcb44acdcca, HandlerErrorCode: InvalidRequest)On further digging
CDK CLI Version
3.0
Framework Version
No response
Node.js Version
14
OS
Linux
Language
Typescript
Language Version
No response
Other information
No response