fix(stepfunctions): lambda invoke grant all versions #34398
+767
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
bug
1 task
GavinZZ
added
pr/do-not-merge
|
Adding a |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #17515 .
Reason for this change
AWS CDK-generated Step Function roles break in-flight Step Function executions when using versioned Lambda functions. During deployment, the Step Function’s IAM role is updated to include permissions for the new Lambda version but removes permissions for the previous version. This causes lambda:InvokeFunction permission failures in in-flight executions that were started before the deployment and are still trying to invoke the previous Lambda version.
This issue is particularly problematic when using Step Function Aliases with deployment preferences for traffic shaping, as a percentage of new executions are directed to the previous version of the state machine, which attempts to invoke a Lambda version it no longer has permissions for.
Description of changes
Implemented a feature flag
STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONSto control IAM permissions granted when using Lambda versions with Step Functions:Added a new feature flag in
cx-api/lib/features.tswith detailed documentationModified LambdaInvoke task implementation to check for this flag:
When enabled: grants permissions to both the specific Lambda version AND all versions using a wildcard pattern (
function-arn:*)When disabled (default behavior): maintains current behavior of granting permission only to the specific version
Updated API documentation to clearly explain the feature flag usage
Updated the README.md to include examples showing how to enable the feature flag
This approach maintains backward compatibility while giving users an opt-in solution to prevent in-flight executions from failing during deployments.
Describe any new or updated permissions being added
When the feature flag is enabled, the Step Function's IAM role will now include an additional IAM permission that grants access to all versions of the Lambda function using a wildcard pattern, e.g.:
"Resource": ["arn:aws:lambda:region:account:function:name:version"]"Resource": ["arn:aws:lambda:region:account:function:name:version", "arn:aws:lambda:region:account:function:name:*"]Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license