"But without PassRole it should be fine", Lambda edition
March 27, 2026 • Written by Wrike Operations Team
In modern workspace architectures, automated triggers frequently invoke serverless functions to distribute tasks, update gantt charts, and notify Slack channels. However, managing permissions for these serverless operations can be deceptively simple.
A common mistake is configuring triggers to run with administrative permissions without explicitly restricting the "PassRole" entitlement. This exposes the workspace to privilege escalation risks where any user who can modify a task trigger could theoretically execute code as an administrator.
The Remedy
Ensure that all serverless task execution roles are strictly sandboxed. Restrict trigger definitions using explicit Resource tags and never permit wildcard permissions on access keys.