Skip to content

Add condition for sts:AssumeRole of the lambda principal to be from within the correct source account#13125

Open
gligorkot wants to merge 3 commits intoserverless:mainfrom
gligorkot:patch-1
Open

Add condition for sts:AssumeRole of the lambda principal to be from within the correct source account#13125
gligorkot wants to merge 3 commits intoserverless:mainfrom
gligorkot:patch-1

Conversation

@gligorkot
Copy link
Copy Markdown

@gligorkot gligorkot commented Sep 25, 2025
edited by coderabbitai bot
Loading

This PR implements the change to update the default IAM Lambda execution role, by adding a condition that the assumer of the role comes from within the same AWS Account that the role is deployed in. From a security point of view this seems like a good idea for this to be the default option.

Closes: #13124

Summary by CodeRabbit

  • Bug Fixes

    • Role assumption now enforces account-level validation by requiring the source account to match the current account.
    • When adding invocation sources, existing account-restriction conditions are preserved so prior access controls remain intact.

  • Tests

    • Added unit tests to verify account-level conditions are preserved when role principals are updated.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Sep 25, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@gligorkot
Copy link
Copy Markdown
Author

gligorkot commented Sep 25, 2025

I have read the CLA Document and I hereby sign the CLA

@Mmarzex
Copy link
Copy Markdown
Contributor

Mmarzex commented Mar 5, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 5, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1cdbd923-8f30-414c-993d-8c176afdffea

📥 Commits

Reviewing files that changed from the base of the PR and between 0fd43c0 and 2f1fd52.

📒 Files selected for processing (1)
  • packages/serverless/test/unit/lib/plugins/aws/package/lib/roles-per-function-permissions.test.js
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/serverless/test/unit/lib/plugins/aws/package/lib/roles-per-function-permissions.test.js
📝 Walkthrough

Walkthrough

A Condition was added to the IAM role trust policy requiring aws:SourceAccount to equal the deployment AWS::AccountId. Two unit tests were added to verify that an existing aws:SourceAccount Condition is preserved when adding CloudFront and Scheduler principals alongside lambda.amazonaws.com.

Changes

Cohort / File(s) Summary
IAM Role Trust Policy
packages/serverless/lib/plugins/aws/package/lib/iam-role-lambda-execution-template.json		 Added a Condition (StringEquals: { "aws:SourceAccount": { "Ref": "AWS::AccountId" } }) to the AssumeRolePolicyDocument trust statement for Lambda execution.
Unit tests for per-function role principals
packages/serverless/test/unit/lib/plugins/aws/package/lib/roles-per-function-permissions.test.js		 Added two tests that ensure an existing aws:SourceAccount Condition is preserved when Principal.Service is extended to include edgelambda.amazonaws.com (CloudFront viewer-request) and scheduler.amazonaws.com (schedule), while keeping lambda.amazonaws.com.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nibbled code beneath the moon so bright,

I added a guard to keep account claims tight.
Principals now knock and show where they're from,
The trust stays strict, no wild invites come.
Hoppity-hop — secure and light ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding a condition requiring the source account to match for sts:AssumeRole of the lambda principal.
Linked Issues check ✅ Passed The pull request fully implements the objective from issue #13124 by adding a StringEquals condition on aws:SourceAccount with AWS::AccountId to the IAM role's AssumeRolePolicyDocument.
Out of Scope Changes check ✅ Passed All changes are directly related to the linked issue objective: modifying the IAM role template and adding tests to verify the condition preservation during function permission updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
packages/serverless/lib/plugins/aws/package/lib/iam-role-lambda-execution-template.json (1)

13-17: Add regression tests to lock in the new trust-policy guard.

Good security hardening, but there’s no unit assertion proving this Condition survives downstream trust-policy mutations (notably in packages/serverless/lib/plugins/aws/package/lib/roles-per-function-permissions.js, Line 336-377). Please add/extend tests to assert aws:SourceAccount is present after role construction paths.

Suggested test assertion shape 
 AssumeRolePolicyDocument: {
   Statement: [
     {
       Effect: 'Allow',
       Principal: { Service: 'lambda.amazonaws.com' },
       Action: 'sts:AssumeRole',
+      Condition: {
+        StringEquals: {
+          'aws:SourceAccount': { Ref: 'AWS::AccountId' },
+        },
+      },
     },
   ],
 }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@packages/serverless/lib/plugins/aws/package/lib/iam-role-lambda-execution-template.json`
around lines 13 - 17, Add unit tests that assert the trust-policy Condition
"StringEquals":{"aws:SourceAccount":{ "Ref":"AWS::AccountId"}} is retained after
role construction and any downstream mutations; specifically extend or add tests
around the role construction pipeline that exercises the code in
roles-per-function-permissions.js (the logic around Line 336-377) and the
template defined in iam-role-lambda-execution-template.json so the final
generated role/trust policy contains aws:SourceAccount in the Condition. In the
test, construct the role via the same function/class used in packaging (invoke
the role creation path that consumes iam-role-lambda-execution-template.json and
passes through roles-per-function-permissions.js), then assert the resulting
CloudFormation trust policy JSON includes the aws:SourceAccount Condition on the
principal/sts:AssumeRole statements; fail the test if that key is missing or
altered.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@packages/serverless/lib/plugins/aws/package/lib/iam-role-lambda-execution-template.json`:
- Around line 13-17: Add unit tests that assert the trust-policy Condition
"StringEquals":{"aws:SourceAccount":{ "Ref":"AWS::AccountId"}} is retained after
role construction and any downstream mutations; specifically extend or add tests
around the role construction pipeline that exercises the code in
roles-per-function-permissions.js (the logic around Line 336-377) and the
template defined in iam-role-lambda-execution-template.json so the final
generated role/trust policy contains aws:SourceAccount in the Condition. In the
test, construct the role via the same function/class used in packaging (invoke
the role creation path that consumes iam-role-lambda-execution-template.json and
passes through roles-per-function-permissions.js), then assert the resulting
CloudFormation trust policy JSON includes the aws:SourceAccount Condition on the
principal/sts:AssumeRole statements; fail the test if that key is missing or
altered.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 669c0133-a843-4bcd-87d9-d5add7c0fb9f

📥 Commits

Reviewing files that changed from the base of the PR and between 067c242 and bd977e1.

📒 Files selected for processing (1)
  • packages/serverless/lib/plugins/aws/package/lib/iam-role-lambda-execution-template.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Condition to the Trust Relationship of IAM Role to be from the same account

2 participants

@gligorkot @Mmarzex