(aws-lambda): support `PrincipalOrgId` on lambda permissions to allow function access to an AWS organization

[yashaslokesh]

What is the problem?

The .addPermission() and .grantInvoke() functions do not allow adding an AWS Organizations ID for resource-based policies. This is a feature in the AWS CLI, as seen here in the docs. I get an error when I try to add an organizations ID as a condition.

Reproduction Steps

Let orgFunction be any Function, then

const permission = new iam.AnyPrincipal()
    .withConditions({
        StringEquals: {
            'aws:PrincipalOrgID': config.organizations.orgId[props.stage]
        }
    });

orgFunction.grantInvoke(permission);

What did you expect to happen?

Expected the CDK synthesis to be successful

What actually happened?

Error: PrincipalWithConditions had unsupported conditions for Lambda permission statement: [{"operator":"StringEquals","key":"aws:PrincipalOrgID"}]. Supported operator/condition pairs: [{"operator":"ArnLike","key":"aws:SourceArn"},{"operator":"StringEquals","key":"aws:SourceAccount"}]

CDK CLI Version

Don't use the CDK CLI

Framework Version

1.149.0

Node.js Version

14.x

OS

Amazon Linux 2 x86_64

Language

Typescript

Language Version

Typescript (3.9.10)

Other information

grantInvoke calls addPermission which calls parsePermissionPrincipal and parseConditions.

parsePermissionsPrincipal should allow an
OrganizationPrincipal and parseConditions should allow the principal condition { operator: 'StringEquals', key: 'aws:PrincipalOrgID' } to conform to the AddPermission functionality presented here, linked earlier.

[rix0rrr]

Unfortunately the permissions we can express for Lambda functions are limited to the properties available on AWS::Lambda::Permission: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

Do you know how to express this condition in those properties? If not, this is probably not supported by Lambda.

[yashaslokesh]

That's strange, the article you linked even links to the page mentioning the AWS Organizations condition and this announcement says the organization ID can be passed to CloudFormation: https://aws.amazon.com/about-aws/whats-new/2022/03/aws-lambda-principalorgid-resource-policies/

This announcement is only from March 11th, though, so maybe it's possible that the documentation for AWS::Lambda::Permission hasn't been updated, yet. The CLI docs have been updated. This issue can't move forward until CFN updates their documentation, then

[kaizencc]

Looks like there is a PrincipalOrgId property in the docs now, which makes me think this is doable.