I am new to CDK, I want to create simple lamda function using CDK.cdk synth gives no error but when I run cdk deploy –profile myprofile getting this error
Resource handler returned message: "User:
arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation
is not authorized to perform: lambda:CreateFunction on resource:
arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa
because no identity-based policy allows the lambda:CreateFunction
action (Service: Lambda, Status Code: 403, Request ID:
61895893-bf12-48bf-a51a-dbcf11fc17d8)" (RequestToken:
0e3ec851-6bd2-9ef3-751c-a3a947a72668, HandlerErrorCode: AccessDenied)
Here is source code
bin/api_lamda.ts
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { ApiLamdaStack } from '../lib/api_lamda-stack';
const app = new cdk.App();
new ApiLamdaStack(app, 'ApiLamdaStack', {
env: { account: 'xxx', region: 'yyy' },
});
libapi_lamda-stack.ts
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Code, Function as LamdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { join } from 'path';
import { Effect, PolicyStatement, CfnPolicy } from 'aws-cdk-lib/aws-iam';
export class ApiLamdaStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new iam.Role(this, 'example-iam-role', {
assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName(
'AWSLambda_FullAccess',
),
],
});
const helloLamda = new LamdaFunction(this, 'helloLamda', {
runtime: Runtime.NODEJS_16_X,
code: Code.fromAsset(join(__dirname, '..', 'services', 'hello')),
handler: 'hello.main'
})
}
}
cdk.json
{
"app": "npx ts-node --prefer-ts-exts bin/apiLamda.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"@aws-cdk/core:stackRelativeExports": true,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"@aws-cdk/aws-lambda:recognizeVersionProps": true,
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
"@aws-cdk/core:enablePartitionLiterals": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
]
}
}
All I want to do is create lamda via CDK, can someone please suggest me what to do?
The solution seems to attach role to cloudformation to be able to create lambda function, I have altered the libapi_lamda-stack.ts please take a look
2
Answers
Thanks gshpychka and Mehmet, indeed cdk bootstrap was having issue, I has to completely wipe out rescources created by cdktoolkit stack including s3 and ssm parameter store, they were causing hindrance by not getting removed, so cleaning completely ensured creation complete of bootstrap then deploy succeeded.
The problem is not in your cdk code. It says cdk role
cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormationis not authorized tolambda:CreateFunction.Check your profile permissions.