(aws-lambda): Cannot specify organization subset in Lambda permission

[nebur395]

Describe the bug

I want to add a "Permission" to a lambda to be invoked by an entire OrganizationalUnit but not the entire Organization to be more granular.

Based in the documentation, I understand it should be possible by specifying the principal (...an AWS organization principal to grant permissions to an entire organization.) and then the organizacionId (...Use this ONLY if you need to grant permissions to a subset of the organization...). However, when I specify a PrincipalOrg+OrganizationId, it throws a validation constraint error.

lambda.addPermission('LambdaPermission', {
  principal: new OrganizationPrincipal('o-123456789'),
  organizationId: 'ou-1234-123456789'
})

For the organizationId I've tried multiple formats: organizationId: 'o-123456789/r-1234/ou-1234-123456789', organizationId: 'r-1234/ou-1234-123456789', organizationId: ou-1234-123456789'. But all of them throw the same error.

If I don't specify organizationId:

lambda.addPermission('LambdaPermission', {
  principal: new OrganizationPrincipal('o-123456789')
})

Then it works and does not generate any error. However, as expected, it attaches a policy with PrincipalOrgId and it grants any principal from the entire organization access to the lambda (which is the thing I would like to avoid). This is the generated permission from the previous code in the AWS console:

So either I don't fully understand the documentation (which could be the case) or there is a bug in this feature. If it is the former, then I don't understand why I would need the organizationId if I cannot specify an OU as a subset of the organization and then what is that property for. If it is the latter, I've tried to check the source code of that function and it seems it attaches the condition aws:PrincipalOrgID always, no matter if you just specify the principal or the principal+organizationId. Maybe for the principal+organizationId it would be feasible to use aws:PrincipalOrgPaths.

Thanks a lot!!

Expected Behavior

Given this function:

lambda.addPermission('LambdaPermission', {
  principal: new OrganizationPrincipal('o-123456789'),
  organizationId: 'r-1234/ou-1234-123456789'
})

When specifying just principal it grants access to that lambda to the entire organization:

{
  "StringEquals": {
    "aws:PrincipalOrgID": "o-123456789"
  }
}

When specifying both principal and organizationId it grants access to that lambda to a subset (OU) inside the organization:

{ 
  "ForAnyValue:StringLike" : {
    "aws:PrincipalOrgPaths": ["o-123456789/r-1234/ou-1234-123456789/*"]
  }
}

Current Behavior

Given this function:

lambda.addPermission('LambdaPermission', {
  principal: new OrganizationPrincipal('o-123456789'),
  organizationId: 'r-1234/ou-1234-123456789'
})

I get the following error:
Properties validation failed for resource LambdaPermission with message: #/PrincipalOrgID: failed validation constraint for keyword [pattern]

Reproduction Steps

import { Code, Function as LambdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { OrganizationPrincipal } from 'aws-cdk-lib/aws-iam';

const lambda = new LambdaFunction(this, 'Lambda', {
  runtime: Runtime.NODEJS_18_X,
  code: Code.fromAsset(''),
  handler: 'index.handler',
  functionName: 'test'
});

lambda.addPermission('LambdaPermission', {
  principal: new OrganizationPrincipal('o-123456789'),
  organizationId: 'r-1234/ou-1234-123456789'
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.109.0

Framework Version

No response

Node.js Version

18.18.2

OS

macOS 13.6.2

Language

TypeScript

Language Version

5.2.2

Other information

No response

[pahud]

I am not sure if it's possible to do that as AWS::Lambda::Permission only allows to specify PrincipalOrgId. This could be a blocker from cloudformation.

Also, if we look at the CLI document, it does not allow you to specify org path for scoped control to OU. I doubt it's possible from API's perspective.

I will create an internal ticket for clarification.

[pahud]

ticket V1176480060

[nebur395]

I am not sure if it's possible to do that as AWS::Lambda::Permission only allows to specify PrincipalOrgId. This could be a blocker from cloudformation.

Also, if we look at the CLI document, it does not allow you to specify org path for scoped control to OU. I doubt it's possible from API's perspective.

I will create an internal ticket for clarification.

Thanks a lot for the fast answer!

Indeed, I took a look to the CloudFormation documentation and I could not see any reference to that "subset of the organization". Then I thought CDK was replacing in those cases PrincipalOrgID with the PrincipalOrgPaths condition key. I checked the code and it didn't seem it was the case. So I was not pretty sure if this was a problem in the doc which is slightly misleading or actually it was a bug in the library. Because otherwise I don't get what's the usage of that organizationId property

[pahud]

@nebur395 Looks like Lambda permission doesn't support that at this moment. We have created an internal ticket for the feature request to the lambda team. Before that, I am afraid we can't do anything with CDK.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[nebur395]

@pahud thanks a lot for the feedback :)

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.