(lambda): Function.grant_invoke should not grant for all versions

[rittneje]

Describe the bug

While upgrading from 1.140.0 to 2.20.0, we noticed that the behavior of aws_lambda.Function.grant_invoke has changed. Previously it granted lambda:InvokeFunction just on the function ARN itself. Now it also grants lambda:InvokeFunction on ${arn}:*, meaning all function versions.

This change does not make sense. At best, granting this wildcard permission is pointless, because CDK doesn't publish function versions. At worst, this is actually a potential security issue, because when I grant invoke rights to a principal, I mean for them to invoke it without any version number, which means $LATEST. If they have permission to invoke any version, then it is possible for them to invoke an older version that is not intended to be used anymore.

Expected Behavior

grant_invoke should retain its original behavior of only granting the ability to invoke the function itself, without an explicit version. If for some reason someone wants to grant wildcard access to all versions, there can be an optional boolean parameter to grant_invoke.

Current Behavior

See above.

Reproduction Steps

Create an aws_lambda.Function and use grant_invoke to grant invoke rights to some principal. Then look at the IAM policy that is generated.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.20.0

Framework Version

No response

Node.js Version

16.14.2

OS

Alpine 3.15

Language

Python

Language Version

3.9.12

Other information

No response

[kaizencc]

Hi @rittneje! This is an intentional change. See this PR for additional context.

tl;dr: lambda changed their authorization strategy, the CDK updated to reflect this. The user behavior we want to see is to grantInvoke on specific versions and aliases instead.

[rittneje]

@kaizencc I'm confused. The new lambda behavior your are describing seems like exactly what CDK should do be default. Namely, grant_invoke should allow access to the unqualified ARN only, and they are not allowed to specify Qualifier. Consequently, they are forced to use $LATEST always, implicitly. With this CDK change, I don't see a way to generate such a policy via grant_invoke, and am now forced to write it manually all the time.

In short, CDK is kind of contradicting the entire point of the Lambda team's change here. If a user actually does intend to grant access to all versions/aliases, they should be forced to say so explicitly. It should not happen as part of grant_invoke by default.

[kaizencc]

Hi @rittneje! It boils down to not wanting to break our customers. Without change, customer lambda invocations would fail when the customer invokes the lambda with unqualified ARN and a Qualifier request parameter. We can't let this happen, so we have to change the policy to [ARN, ARN:*]. In our view, it's slightly more permissible but works for all use cases.

The clear direction we're taking here is that if you want to grant less permissible policies, grant them on the version or alias you've created, not the function itself. So, our suggestion for your use case is to create an alias on the latest version and then grant invoke permissions on the alias (instead of the function). You shouldn't have to write a manual policy for that.

[rittneje]

@kaizencc Until this CDK change, I could use grant_invoke to grant lambda:InvokeFunction against the unqualified ARN, and then the application in question could use the unqualified ARN to invoke the lambda function. The Lambda team has now (rightfully) decided that allowing applications to invoke specific lambda function versions via a backdoor when the IAM role only granted access to the unqualified function was a mistake, and is correcting that mistake. The CDK team has decided to contradict that decision, under the guise of "backwards compatibility". However, the Lambda team decided breaking backwards compatibility was the correct approach. The CDK team absolutely should not be attempting to contradict this.

Furthermore, your suggestion to grant against the specific version/alias is not workable. If I grant access specifically to the $LATEST version (i.e., arn:aws:lambda:<region>:<account>:function:MyFunctionName:$LATEST), then the application in question is no longer permitted to invoke the unqualified ARN. So either I am forced to also make changes to the application, or I have to manually write a policy that grants access only to the unqualified ARN instead of using grant_invoke.

What the CDK team needs to do is add an optional boolean parameter to grant_invoke that indicates whether access should also be granted to all versions/aliases. (Alternatively, create a separate grant_invoke_all_versions method.) And if you are really concerned about backwards compatibility, add a feature flag to control the default behavior.