Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify the Restate Cloud invoker role for Lambda deployments #430

Merged
merged 1 commit into from
Jul 3, 2024
Merged

Clarify the Restate Cloud invoker role for Lambda deployments #430

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions docs/deploy/cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ However, currently your services must be accessible over the public internet for
Restate to be able to invoke them. If you want to develop using a
service running on your local machine, you can expose it using our tunnel
feature:

```bash
# expose localhost:9080 to Restate Cloud
restate cloud env tunnel --local-port 9080
Expand All @@ -67,6 +68,13 @@ identity in the same account that the Lambda is deployed to. Create a new role
that has permission to invoke your Lambda handlers, and give it the following
trust policy.

<Admonition type="warning">
The Restate Cloud role is distinct from the Lambda function's execution role.
The execution role is assumed by your function to perform its work. A dedicated
invoker role is needed to grant Restate Cloud permission to invoke service handler
functions in your account, and nothing more.
</Admonition>

<Tabs>
<TabItem value="json" label="IAM JSON Policy" default>

Expand Down Expand Up @@ -107,7 +115,7 @@ This trust policy allows the Restate Cloud `us.restate.cloud` region principal t
<TabItem value="cdk" label="AWS CDK">

```ts
const invokerRole = new iam.Role(this, "InvokerRole", {
const restateCloudRole = new iam.Role(this, "RestateCloudRole", {
assumedBy: new iam.AccountPrincipal("654654156625")
.withConditions({
"StringEquals": {
Expand All @@ -116,7 +124,7 @@ const invokerRole = new iam.Role(this, "InvokerRole", {
},
}),
});
invokerRole.assumeRolePolicy!.addStatements(
restateCloudRole.assumeRolePolicy!.addStatements(
new iam.PolicyStatement({
principals: [new iam.AccountPrincipal("654654156625")],
actions: ["sts:TagSession"],
Expand All @@ -126,12 +134,13 @@ invokerRole.assumeRolePolicy!.addStatements(

When you use the [Restate CDK construct library](/deploy/lambda/cdk) to deploy
Lambda handlers, the provided invoker role will automatically be granted access
to invoke the corresponding functions. Alternatively, you will need to do so
explicitly.
to invoke the corresponding functions. If you manage Restate service deployments
some other way, you should ensure that the Restate Cloud invoker role is permitted
to call the appropriate Lambda handler functions by allowing it to perform `lambda:InvokeFunction`.

<Admonition type="info" title="Environment Identifier">
Use the `environmentId` variable to pass the environment ID can be found in the UI and in the output of `restate whoami`.
This trust policy allows the Restate Cloud `us.restate.cloud` region principal to assume the role, but only on behalf of the specified environment ID.
This trust policy allows the Restate Cloud `us.restate.cloud` region principal to assume the role, but only on behalf of the specified environment.
</Admonition>

</TabItem>
Expand Down
Loading