aws
fix(stepfunctions): lambda invoke grant all versions
Issue # (if applicable)
Closes #17515 .
Reason for this change
AWS CDK-generated Step Function roles break in-flight Step Function executions when using versioned Lambda functions. During deployment, the Step Function’s IAM role is updated to include permissions for the new Lambda version but removes permissions for the previous version. This causes lambda:InvokeFunction permission failures in in-flight executions that were started before the deployment and are still trying to invoke the previous Lambda version.
This issue is particularly problematic when using Step Function Aliases with deployment preferences for traffic shaping, as a percentage of new executions are directed to the previous version of the state machine, which attempts to invoke a Lambda version it no longer has permissions for.
Description of changes
Implemented a feature flag STEPFUNCTIONS_TASKS_LAMBDA_INVOKE_GRANT_ALL_VERSIONS to control IAM permissions granted when using Lambda versions with Step Functions:
Added a new feature flag in cx-api/lib/features.ts with detailed documentation
Modified LambdaInvoke task implementation to check for this flag:
When enabled: grants permissions to both the specific Lambda version AND all versions using a wildcard pattern (function-arn:*)
When disabled (default behavior): maintains current behavior of granting permission only to the specific version
Updated API documentation to clearly explain the feature flag usage
Updated the README.md to include examples showing how to enable the feature flag
This approach maintains backward compatibility while giving users an opt-in solution to prevent in-flight executions from failing during deployments.
Describe any new or updated permissions being added
When the feature flag is enabled, the Step Function's IAM role will now include an additional IAM permission that grants access to all versions of the Lambda function using a wildcard pattern, e.g.:
- Before:
"Resource": ["arn:aws:lambda:region:account:function:name:version"] - After:
"Resource": ["arn:aws:lambda:region:account:function:name:version", "arn:aws:lambda:region:account:function:name:*"]
Description of how you validated changes
- Added comprehensive unit tests that verify both behaviors (with feature flag enabled and disabled)
- Updated integration tests to demonstrate both scenarios with and without the feature flag
- Created test suites to verify behavior with both versioned Lambda functions and non-versioned Lambda functions
Checklist
- [x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license
Adding a do-not-merge and needs-security-review labels to wait on an update from security review on this approach.
AWS CodeBuild CI Report
- CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
- Commit ID: c80ec19d2472dc46a1a7943e3e8675f272602e82
- Result: FAILED
- Build Logs (available for 30 days)
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository
Hello, no rush or pressure or anything but just wanted to understand if this PR is awaiting further review or if the pipeline checks are needing to be addressed first?
Hello, no rush or pressure or anything but just wanted to understand if this PR is awaiting further review or if the pipeline checks are needing to be addressed first?
I don't mean to keep asking about this sorry 😅 but anyone is able to provide some clarity on where this PR is at that would be greatly appreciated.
This PR has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}