0

I am new to CDK, I want to create simple lamda function using CDK.cdk synth gives no error but when I run cdk deploy --profile myprofile getting this error

Resource handler returned message: "User: arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa because no identity-based policy allows the lambda:CreateFunction action (Service: Lambda, Status Code: 403, Request ID: 61895893-bf12-48bf-a51a-dbcf11fc17d8)" (RequestToken: 0e3ec851-6bd2-9ef3-751c-a3a947a72668, HandlerErrorCode: AccessDenied)

Here is source code

bin/api_lamda.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { ApiLamdaStack } from '../lib/api_lamda-stack';

const app = new cdk.App();
new ApiLamdaStack(app, 'ApiLamdaStack', {
  env: { account: 'xxx', region: 'yyy' },
});

lib\api_lamda-stack.ts

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Code, Function as LamdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { join } from 'path';
import { Effect, PolicyStatement, CfnPolicy } from 'aws-cdk-lib/aws-iam';


export class ApiLamdaStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new iam.Role(this, 'example-iam-role', {
      assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName(
          'AWSLambda_FullAccess',
        ),
      ],
    });

    const helloLamda = new LamdaFunction(this, 'helloLamda', {
      runtime: Runtime.NODEJS_16_X,
      code: Code.fromAsset(join(__dirname, '..', 'services', 'hello')), 
      handler: 'hello.main'
    })

  
  }
}

cdk.json

{
  "app": "npx ts-node --prefer-ts-exts bin/apiLamda.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:stackRelativeExports": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
    "@aws-cdk/core:enablePartitionLiterals": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ]
  }
}

All I want to do is create lamda via CDK, can someone please suggest me what to do?

The solution seems to attach role to cloudformation to be able to create lambda function, I have altered the lib\api_lamda-stack.ts please take a look

Improve this question

2 Answers 2

Reset to default
2

The problem is not in your cdk code. It says cdk role cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to lambda:CreateFunction.

Check your profile permissions.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Hi Mehmet, thanks, I don't know how to check permissions associated with my profile though from doc ran this command: aws list-permissions --profile myprofile, but it says command is wong! Also from console, I can see administrator access is attached to the user.
Your profile assume a role named cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation this can be in your account and/or another account. You need to check that role. You may have AdministratorAccess. But cloudformation is using that role while deploying your stack.
Thanks for setting me in right direction, now I am trying to attach lamda full acess role to cloud formation stack rather doing it from console, I want to do it programatically but still same error, can you please correct what mistake I am making in attaching role?
Check the docs on bootstrapping, that's how you specify the execution role policies.
0

Thanks gshpychka and Mehmet, indeed cdk bootstrap was having issue, I has to completely wipe out rescources created by cdktoolkit stack including s3 and ssm parameter store, they were causing hindrance by not getting removed, so cleaning completely ensured creation complete of bootstrap then deploy succeeded.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.