Best way to scope lambda functions Allowed principals

[diegoaguilar]

I'm deploying hosted runners into an application with some automated policies check. Both setup and webhook handle lambdas are getting flagged because they're pretty open and publicly exposed.

Is there a way to access to these? Should I resolve these from the outputs and then configure? I want to avoid doing a sort of manual check and then getting code to invoke by ARN or something.

Should these even be taken and resolved from the outputs somehow?

[kichik]

The setup Lambda only accepts requests when the correct secret is passed as a query parameter. That secret is reset once setup is complete. It is public to make it easy for the user to quickly complete setup regardless of the network configuration.

cdk-github-runners/src/lambdas/setup/index.ts

Lines 129 to 149 in 13f319d

	// confirm required environment variables
	if (!process.env.WEBHOOK_URL) {
	throw new Error('Missing environment variables');
	}
	const setupToken = (await getSecretJsonValue(process.env.SETUP_SECRET_ARN)).token;
	// bail out if setup was already completed
	if (!setupToken) {
	return response(200, 'Setup already complete. Put a new token in the setup secret if you want to redo it.');
	}
	if (!event.queryStringParameters) {
	return response(403, 'Wrong setup token.');
	}
	// safely confirm url token matches our secret
	const urlToken = event.queryStringParameters.token || event.queryStringParameters.state || '';
	if (urlToken.length != setupToken.length || !crypto.timingSafeEqual(Buffer.from(urlToken, 'utf-8'), Buffer.from(setupToken, 'utf-8'))) {
	return response(403, 'Wrong setup token.');
	}

The webhook Lambda only accepts requests signed by GitHub with the secret value that we set during setup. It is public because GitHub needs to be able to call it. Only repos that you enabled will be able to get this secret value.

cdk-github-runners/src/lambdas/webhook-handler/index.ts

Lines 40 to 55 in 13f319d

	if (!process.env.WEBHOOK_SECRET_ARN || !process.env.STEP_FUNCTION_ARN) {
	throw new Error('Missing environment variables');
	}
	const webhookSecret = (await getSecretJsonValue(process.env.WEBHOOK_SECRET_ARN)).webhookSecret;
	let body;
	try {
	body = verifyBody(event, webhookSecret);
	} catch (e) {
	console.error(e);
	return {
	statusCode: 403,
	body: 'Bad signature',
	};
	}

I plan on having a way to disable the setup function so it can be removed once you're done with it. For the webhook function, I am hoping to find a simple enough way to apply a security group with IPs from here (only the hooks section). Lambda URLs don't support it right now and we need to figure out a way that can also work with self-hosted GitHub Enterprise.

I'm not sure what you mean by:

I want to avoid doing a sort of manual check and then getting code to invoke by ARN or something.

Bottom line the Lambdas are public, but protected. Anyone can technically call them, but can't do anything without the secrets.

Also see #88.

[diegoaguilar]

Thanks for this explanation. I understand that functions should be publicly exposed either way.

The issue description states:

A Lambda function in your account has a resource policy granting all principals access to invoke it or perform any of the actions supported by Lambda’s resource-based policies.
Update the policy so that only principals you intend to access to the function can do so for the actions they require and any statements allowing access to all principals are removed. Alternatively, you can delete the function, if it’s not required.

So maybe letting the function being invoked only by API Gateway could be a way? So I meant that I was thinking that I could find the lambdas ARN and update the created policies too.

[diegoaguilar]

Hmm now that I read I understand that this is about these new Lambda Function URLs feature.

Well if configurable auth is an option, it'd be GREAT.

Also happy to help with a PR but I'd need some heads up. Pretty skilled with TS and generals of CDK and AWS API's but heads up gonna help from you @kichik or anyone else

[kichik]

Yeah, this how public Lambda Function URLs have to be configured. It sounds like the tool producing this error is just not aware of this new feature. The resource policy is limited to only URL access, but the tool seems to think anyone or any service can call lambda:Invoke which is not the case.

{
 "StringEquals": {
  "lambda:FunctionUrlAuthType": "NONE"
 }
}

Switching to API Gateway just to avoid this warning will not really improve the security. Switching and then using API Gateway to limit the caller's IP to GitHub's IP range with aws:SourceIp would improve things. We can then make the IP address configurable too for support of self-hosted GitHub Enterprise.

I think we should let the user configure both the webhook and setup function with one of these options:

1. Disable function access
2. Create Lambda URL for the function (simplest zero headache approach)
3. Create API Gateway for the function that limits access to just GitHub webhook IPs (statically defined in code with action on this project that updates it once in a while, assuming they don't change those IPs often)
4. Create API Gateway for the function that limits access to a given list of IPs/CIDRs
5. Nice-to-have: private API Gateway that can only be accessed from certain VPC where GitHub Enterprise is installed

It doesn't have to be API Gateway, if there is something better. As far as I know, that's the best option. CloudFront is very slow to deploy and won't help if GitHub Enterprise is in an isolated subnet. ALB is not serverless.

If you can help create a PR for that, it would be great.

[diegoaguilar]

@kichik would you be up for a quick call on any shared Slack/Meet to get some guidance? Like I mentioned, I feel pretty confident to implement stuff with TS but might need more detailed initial heads up regarding AWS API's

[kichik]

Yes, for sure. Email me at amir@cloudsnorkel.com and we can find a time together. Maybe tomorrow around noon PDT?

[kichik]

With 0.9.2 you can use:

new GitHubRunners(this, 'runners', {
  statusAccess: LambdaAccess.apiGateway({
    // only allow access to the status function from my IP
    allowedIps: ['1.2.3.4/32'], // example of my IP
  }),
  webhookAccess: LambdaAccess.apiGateway({
    // only allow access to the webhook from GitHub webhook IPs
    allowedIps: LambdaAccess.githubWebhookIps(),
  }),
  setupAccess: LambdaAccess.apiGateway({
    // only allow devs in the devSg to access setup through myVpc
    // this creates a private API Gateway that doesn't even resolve publicly
    allowedVpc: myVpc,
    allowedSecurityGroups: devSg,
  }),
});