(lambda): CDK-generated permissions will not work on Lambda invoked with `Qualifier=`

[rix0rrr]

What is the problem?

Lambda is changing their authorization strategy.

When you call InvokeFunction(FunctionName='xyz', Qualifier=86):

• It used to be the case that you would need IAM permissions granted to the unqualified function name:xyz.
• It is now the case that you need IAM permissions granted to the qualified function name: xyz:86

It always was and still will be the case that when you do InvokeFunction(FunctionName='xyz:86'), you need IAM permissions to invoke xyz:86.

---

Since we don't always control what the InvokeFunction call looks like, it might just be safest/simplest to grant permissions on ['xyz', 'xyz:*'].

Reproduction Steps

See above

What did you expect to happen?

See above

What actually happened?

Call is rejected

CDK CLI Version

x

Framework Version

No response

Node.js Version

x

OS

x

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

[kaizencc]

This issue is closed by the combination of #19318 and #19464

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.