Search code examples
.net-coreaws-lambdaaws-cloudformation

AWS Lambda using Annotations framework for .NET - missing Role

I'm porting to AWS Lambda functions an entire .NET 6 web application, using AWS Lambda Annotations framework.

With each build, the Amazon.Lambda.Annotations package takes every annotated API method and converts it into a Lambda function source code, auto-generating the serverless.template to tie it all together for Cloudformation stack deploy.

Everything works like a charm, except that the specified Role for the method isn't put into the serverless.template.

e.g. Using policy ARN and role ARN of existing resources on my AWS, an annotated method like this:

[LambdaFunction(
    ResourceName = $"GetThing",
    Timeout = 42,
    MemorySize = 512,
    Policies = "arn:aws:iam::11111111:policy/ThingyPolicy",
    Role = "arn:aws:iam::11111111:role/ThingyRole"
)]
[HttpApi(LambdaHttpMethod.Get, "/GetThing")]
public async Task<Thing> GetThing() {
    //...
}

Is referenced in the generated serverless.template like this:

...
"MenuItemAll": {
  "Type": "AWS::Serverless::Function",
  "Metadata": {
    "Tool": "Amazon.Lambda.Annotations",
    "SyncedEvents": [
      "RootGet"
    ]
  },
  "Properties": {
    "Runtime": "dotnet6",
    "CodeUri": ".",
    "MemorySize": 512,
    "Timeout": 42,
    "PackageType": "Zip",
    "Handler": "MyProject::Controllers.ThingController_GetThing_Generated::GetThing",
    "Events": {
      "RootGet": {
        "Type": "HttpApi",
        "Properties": {
          "Path": "/GetThing",
          "Method": "GET"
        }
      }
    },
    //"Role": "<--- MISSING!!"
    "Policies": [
      "arn:aws:iam::11111111:policy/ThingyPolicy"
    ]
  }
},
...

Policy, Timeout and MemorySize are correctly referenced, but there is no trace of the assigned Role.

I specified the Role within the LambdaFunctionAttribute expecting to see it referenced inside the resulting Cloudformation template.

Unfortunately the Role is the only property not correctly translated into the serverless.template.

I tried directly inserting the Role property into the serverless.template, but at deploy the code is recompiled and the template regenerated missing the role.

Solution

  • You need to specify either a policy or a role but not both. When you specify a policy a role is created with that policy attached to the role.