Skip to content

feat: refactor Function URL permissions #3735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Apr 24, 2025
Merged

feat: refactor Function URL permissions #3735

merged 13 commits into from
Apr 24, 2025

Conversation

roger-zhangg
Copy link
Member

@roger-zhangg roger-zhangg commented Mar 19, 2025
edited
Loading

Issue #, if available

Description of changes

To successfully invoke Lambda Function URLs, now you must have both of these Lambda permissions on your function:

  • lambda:InvokeFunctionUrl
  • lambda:InvokeFunction

Before you only need lambda:InvokeFunctionUrl to allow invoking

⚠️Impact on existing deployments:

  • For Function URLs with AUTH_TYPE: NONE, sam transform will automatically add the additional required lambda:InvokeFunction permission in addition to the lambda:InvokeFunctionUrl that would be normally added before this change
  • This policy addition will occur on re-deployment even without template changes
  • No action required from users

Description of how you validated changes

  • Unit test
  • Integration test
  • Manual testing

Checklist

Examples?

Please reach out in the comments if you want to add an example. Examples will be
added to sam init through aws/aws-sam-cli-app-templates.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@roger-zhangg roger-zhangg requested a review from a team as a code owner March 19, 2025 22:04
mbfreder
mbfreder requested changes Mar 20, 2025
View reviewed changes
Copy link
Contributor

@mbfreder mbfreder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The linter is failing on the generated CFN files. That's because InvokedViaFunctionUrl is not yet available on CloudFormation. To make the linter pass, please add tests/translator/output/**/function_with_function_url_config.json in cfnlintrc.yaml file to ignore it. (Should be removed once the feature is GA)

@roger-zhangg
Copy link
Member Author

The linter is failing on the generated CFN files. That's because InvokedViaFunctionUrl is not yet available on CloudFormation. To make the linter pass, please add tests/translator/output/**/function_with_function_url_config.json in cfnlintrc.yaml file to ignore it. (Should be removed once the feature is GA)

Thanks, I'm kind of swaying between doing that (typically in private repo) or wait for official CFN update (public repo).

valerena
valerena reviewed Apr 23, 2025
View reviewed changes
@roger-zhangg
Copy link
Member Author 

Elysia % pytest --no-cov integration/single/test_basic_function.py::TestBasicFunction::test_basic_function_with_url_dual_auth_0_single_basic_function_with_function_url_dual_auth
====================================================================================================================== test session starts =======================================================================================================================
platform linux -- Python 3.10.13, pytest-7.4.4, pluggy-1.5.0
rootdir: /local/home/ruojiazh/proj/serverless-application-model
configfile: pytest.ini
plugins: env-0.8.2, rerunfailures-11.1.2, xdist-3.6.1, cov-4.1.0
collected 1 item                                                                                                                                                                                                                                                 

integration/single/test_basic_function.py::TestBasicFunction::test_basic_function_with_url_dual_auth_0_single_basic_function_with_function_url_dual_auth PASSED                                                                                            [100%]

================================================================================================================== 1 passed in 67.20s (0:01:07) ==================================================================================================================
(.venv) 
(25-04-23 22:08:58) <0> [~/proj/serverless-application-model]  
Elysia % pytest --no-cov integration/single/test_basic_function.py::TestBasicFunction::test_basic_function_with_url_dual_auth_1_single_basic_function_with_function_url_with_autopuplishalias_dual_auth
====================================================================================================================== test session starts =======================================================================================================================
platform linux -- Python 3.10.13, pytest-7.4.4, pluggy-1.5.0
rootdir: /local/home/ruojiazh/proj/serverless-application-model
configfile: pytest.ini
plugins: env-0.8.2, rerunfailures-11.1.2, xdist-3.6.1, cov-4.1.0
collected 1 item                                                                                                                                                                                                                                                 

integration/single/test_basic_function.py::TestBasicFunction::test_basic_function_with_url_dual_auth_1_single_basic_function_with_function_url_with_autopuplishalias_dual_auth PASSED                                                                      [100%]

================================================================================================================== 1 passed in 97.37s (0:01:37) =================================================================================================================

@roger-zhangg roger-zhangg changed the title feat: TBD feat: refactor Function URL permissions Apr 23, 2025
@roger-zhangg roger-zhangg merged commit 9ed1d64 into aws:develop Apr 24, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valerena valerena valerena approved these changes

@Vandita2020 Vandita2020 Vandita2020 approved these changes

@seshubaws seshubaws seshubaws approved these changes

@mbfreder mbfreder mbfreder approved these changes

@vicheey vicheey vicheey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@roger-zhangg @valerena @Vandita2020 @seshubaws @mbfreder @vicheey @jonife