From 23ee45b8bc0057007f0d3363e84ff3e2b8d73d61 Mon Sep 17 00:00:00 2001 From: Ankush Singh Date: Mon, 5 Feb 2024 10:59:36 -0800 Subject: [PATCH] Adding lambda get function for PC prevalidation KIA lambda check (#2390) Summary: Pull Request resolved: https://github.com/facebookresearch/fbpcs/pull/2390 Currently, our cb instance is not supporting kia_service status checking, and it'll display the error as below when we fetch the kia_service from our smart platform: "Failed to fetch Lambda status during resource check. Error: User: arn:aws:sts::046312032962:assumed-role/vg-onebox-111-feb2-ConversionsApiGatewayIamRole-toCtIrRgJBMz/i-0de4416bd949ed716 is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:us-west-2:046312032962:function:cb-kia-5ujbtee-t0ug because no identity-based policy allows the lambda:GetFunction action (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 2199e72e-a5c4-4dc0-bef1-47fb848a9e04; Proxy: null)" To resolve this issue, we can add lambda:GetFunction to the existing I AM policy. Reviewed By: jinxinl22, chennyc Differential Revision: D53434002 fbshipit-source-id: 02e472e1cb4e672b072d0356d59292f61ea6a7c5 --- .../aws/iam_policies/fb_pc_iam_policy_no_compute.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy_no_compute.json b/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy_no_compute.json index f96089966..dbb3a053f 100644 --- a/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy_no_compute.json +++ b/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy_no_compute.json @@ -54,7 +54,8 @@ }, { "Action": [ - "lambda:InvokeFunction" + "lambda:InvokeFunction", + "lambda:GetFunction" ], "Effect": "Allow", "Resource": "arn:aws:lambda:${REGION}:${ACCOUNT_ID}:function:${KIA_LAMBDA_NAME}"