Implement support for Lambda resource-based policies

[philchristensen]

Is your feature request related to a problem?

I'm trying to use ACK to create a Lambda function that is invoked by an EventBridge cron event. When using EventBridge (or SNS) to invoke a Lambda, we need to modify the resource permissions to allow the event.amazonaws.com (or sns/amazonaws.com) service to invoke the function.

Describe the solution you'd like
Terraform provides an aws_lambda_permission object, it seems like it would be best to follow this and create a Permission CRD for the Lambda ACK Controller.

Also, FWIW, a number of AI tools I've tried have hallucinated that this object exists in ACK anyway 🤦🏽

Describe alternatives you've considered
Alternatively to above, you could add a policy attribute to the Function CRD instead of making a new object type.

Also, since this is all inside a Helm chart, I've tried valiantly to create a Kubernetes Job that calls aws lambda add-permission but it's pretty ugly, and I don't know if I can use it yet as is.

[github-actions]

Hello @philchristensen 👋 Thank you for opening an issue in ACK! A maintainer will triage this issue soon.

We encourage community contributions, so if you're interested in tackling this yourself or suggesting a solution, please check out our Contribution and Code of Conduct guidelines.

You can find more information about ACK on our website.

[a-hilaly]

Hi @philchristensen - you can add a Permission on an alias using the Alias CRD, checkout https://aws-controllers-k8s.github.io/community/reference/lambda/v1alpha1/alias/

[philchristensen]

Oh, wow, totally missed that. Trying it now.

[philchristensen]

So, I created the Alias with the correct permissions, and I updated the EventBus Rule to use the Alias ARN instead:

It doesn't seem like Lambda is recognizing the connection; normally when I create these, I see the "trigger" on the left like this:

However right now that "trigger" area is empty, even though all the other objects exist. To be clear, it's also not triggering the Lambda on schedule either.

[philchristensen]

So, I think the crux of the issue here is that despite adding the permission block, to my Alias, it's not showing up in the console (or in the output of aws lambda get-policy)

apiVersion: lambda.services.k8s.aws/v1alpha1
kind: Alias
metadata:
  annotations:
    meta.helm.sh/release-name: echolibrium-lambda
    meta.helm.sh/release-namespace: echolibrium-lambda
  creationTimestamp: "2025-10-20T19:16:05Z"
  finalizers:
  - finalizers.lambda.services.k8s.aws/Alias
  generation: 2
  labels:
    app.kubernetes.io/instance: echolibrium-lambda
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: eaze-lambda
    app.kubernetes.io/version: 1.5.11
    helm.sh/chart: eaze-lambda-chart-1.5.11
    helm.toolkit.fluxcd.io/name: echolibrium-lambda
    helm.toolkit.fluxcd.io/namespace: echolibrium-lambda
  name: echolibrium-lambda-eaze-lambda
  namespace: echolibrium-lambda
  resourceVersion: "300672847"
  uid: 5828e9cb-de5b-4be5-9a04-10a73769f0f5
spec:
  description: ""
  functionName: development-echolibrium-lambda-eaze-lambda
  functionVersion: $LATEST
  name: DEPLOYED
  permissions:
  - action: lambda:InvokeFunction
    principal: events.amazonaws.com
    sourceARN: arn:aws:events:us-west-2:738078141876:rule/development-echolibrium-lambda-eaze-lambda

I should be able to fetch the policy, but no dice:

$ aws lambda get-policy --function-name development-echolibrium-lambda-eaze-lambda --qualifier DEPLOYED

An error occurred (ResourceNotFoundException) when calling the GetPolicy operation: The resource you requested does not exist.

And of course, if I go in and manually add the policy to the Alias, it does get returned by the above command:

$ aws lambda get-policy --function-name development-echolibrium-lambda-eaze-lambda --qualifier DEPLOYED | cat
{
    "Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"test-statement\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-west-2:738078141876:function:development-echolibrium-lambda-eaze-lambda:DEPLOYED\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:events:us-west-2:738078141876:rule/development-echolibrium-lambda-eaze-lambda\"}}}]}",
    "RevisionId": "20176c9a-98e7-400d-b1f4-d3ce649bbab7"
}