I am trying to setup an s3 event notification for an existing S3 bucket using aws cdk. Below is the code.

bucket = s3.Bucket.from_bucket_name(self, "S3Bucket", f"some-{stack_settings.aws_account_id}")
bucket.add_event_notification(
    s3.EventType.OBJECT_CREATED,
    s3n.SqsDestination(queue),
    s3.NotificationKeyFilter(
        prefix="uploads/"
    ),
)

The stack creation fails and I am seeing below error on cloudformation console.

User: arn:aws:sts::<account>:assumed-role/some-cicd/i-8989898989xyz
is not authorized to perform: lambda:InvokeFunction on resource: 
arn:aws:lambda:us-east-1:<account_number>:function:<some name>-a-BucketNotificationsHandl-b2kDmawsGjpL
because no identity-based policy allows the lambda:InvokeFunction action (Service: AWSLambda; 
Status Code: 403; Error Code: AccessDeniedException; Request ID: c2d91744-416c-454d-a510-ff4cce061b80; 
Proxy: null)

I am not sure what this lambda is. I am not trying to create any such lambda in my cdk app.

Does anyone know what is going on here and if there is anything wrong with my code ?

CodePudding user response：

The ability to add notifications to an existing bucket is implemented with a custom resource - that is, a lambda that uses the AWS SDK to modify the bucket's settings.

CloudFormation invokes this lambda when creating this custom resource (also on update/delete).

If you would like details, here's the relevant github issue, you can see the commit that added the feature.