Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add lambda:ListTags permission to ProvisionPublishEgressIP policy #149

Merged
merged 1 commit into from
Oct 3, 2024
Merged

Add lambda:ListTags permission to ProvisionPublishEgressIP policy #149

merged 1 commit into from
Oct 3, 2024

Conversation

dav3r
Copy link
Member

@dav3r dav3r commented Oct 3, 2024
edited
Loading

🗣 Description

This PR adds the lambda:ListTags permission to the ProvisionPublishEgressIP policy.

💭 Motivation and context

We want to maintain our current level of functionality.

AWS Support writes:

Previously, permissions on ListTags were required only when using the ListTags API explicitly. However, principals with GetFunction API permissions could still access tag information outputted by the GetFunction call even if there is an explicit deny on ListTags API. Beginning October 2, 2024, Lambda will return tags data only when the principal calling GetFunction API has a policy with an explicit allow permission on ListTags API. When the role calling the GetFunction API has a policy with a deny or has no policy with explicit allow access to ListTags API, Lambda will not return tags data in the response to the GetFunction API call.

For reference: https://docs.aws.amazon.com/lambda/latest/dg/configuration-tags.html#permissions-required-for-working-with-tags-cli

🧪 Testing

👀

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.

@dav3r
Add lambda:ListTags permission to policy
ef577d9 
From AWS:

"Previously, permissions on ListTags were required only when using the ListTags API explicitly. However, principals with GetFunction API permissions could still access tag information outputted by the GetFunction call even if there is an explicit deny on ListTags API. Beginning October 2, 2024, Lambda will return tags data only when the principal calling GetFunction API has a policy with an explicit allow permission on ListTags API. When the role calling the GetFunction API has a policy with a deny or has no policy with explicit allow access to ListTags API, Lambda will not return tags data in the response to the GetFunction API call."
@dav3r dav3r added improvement This issue or pull request will add or improve functionality, maintainability, or ease of use hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation labels Oct 3, 2024
@dav3r dav3r self-assigned this Oct 3, 2024
@dav3r dav3r requested a review from a team October 3, 2024 15:16
@dav3r dav3r merged commit bbf8b7d into develop Oct 3, 2024
4 checks passed
@dav3r dav3r deleted the improvement/add-lambda-listtags-permission branch October 3, 2024 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@jsf9k jsf9k jsf9k approved these changes

@felddy felddy Awaiting requested review from felddy felddy is a code owner

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@dav3r dav3r

Labels
hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation improvement This issue or pull request will add or improve functionality, maintainability, or ease of use
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dav3r @jsf9k @dv4harr10