By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I provide granular access to Lambda functions?

8 minute read
0

I want to grant read and write permissions for a specific AWS Lambda function to an AWS Identity and Access Management (IAM) user.

Resolution

Use IAM policies to configure permissions for IAM users to create, delete, modify, invoke, and monitor Lambda functions, and view a Lambda function's configuration.

The following policy examples restrict Lambda API actions that support resource-level permissions to a specific Lambda function that's listed in the Resource element. You can use the Condition element in the API actions to identify the Lambda function in the IAM policy.

For API actions that don't support resource-level permissions, you must use a wildcard (*) in the Resource element. You can't apply condition keys that are specific to Lambda. For more information, see Actions, resources, and condition keys for AWS Lambda.

The Resource element uses an ARN to identify the resources that the statement applies to. For example, if the Action is Invoke, then the Resource value is a function ARN. IAM matches the ARN against the ARN of the function in the Invoke request's FunctionName and Qualifier parameters. For more information about ARNs in different versions of Lambda, see Using versions.

If you use multiple Lambda versions, then you don't need to add each Lambda ARN. Instead, include the wildcard (*) in the Resources element:

arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME:*

Note: Replace AWS_REGION:AWS_ACCOUNT_ID with your Lambda ARN and LAMBDA_FUNCTION_NAME with the Lambda function name.

In the following example IAM policies, replace the following values:

  • AWS_ACCOUNT_ID with your AWS account ID
  • LAMBDA_FUNCTION_NAME with your Lambda function name
  • IAM_USER_NAME with the IAM user that you're providing Lambda access to
  • AWS_REGION with your AWS Region
  • KEY_ID with your AWS Key Management Service (AWS KMS) key
  • IAM_ROLE_NAME with your IAM role
  • S3_BUCKET_NAME with your Amazon Simple Storage Service (Amazon S3) bucket name

Permissions to create a Lambda function

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use the AWS CLI or the Lambda console to create a Lambda function, you must have the lambda:CreateFunction and iam:PassRole permissions. For example policies, see Identity-based IAM policies for Lambda.

The following example policy allows the API caller to create a Lambda function and pass the IAM role as the function's Lambda execution role:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionToCreateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
      ]
    },
    {
      "Sid": "PermissionToPassARole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME"
    }
  ]
}

If you store the Lambda function code in an S3 bucket, then add a policy to grant Amazon S3 permissions to the IAM policy.

Example policy:

{  "Sid": "PermissionToUploadCodeFromS3",
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::S3_BUCKET_NAME/FileName.zip"
}

Note: Replace FileName.zip with your Lambda function code .zip file.

To view and update the function, you must add read-level API actions and permissions.

Example policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionsToViewFunctionsInConsole",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionsToCreateAndUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:GetFunction",
        "lambda:ListTags"
        "lambda:UpdateFunctionCode"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
      ]
    },
    {
      "Sid": "PermissionToListExistingRoles",
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionToPassARole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::AWS_ACCOUNT_ID:role/IAM_ROLE_NAME"
    }
  ]
}

To create an IAM role during the Lambda function creation process, add the following IAM permissions:

{  "Sid": "PermmissionsToCreateAndUpdateARole",
  "Effect": "Allow",
  "Action": [
    "iam:CreateRole",
    "iam:CreatePolicy",
    "iam:PutRolePolicy",
    "iam:AttachRolePolicy"
  ],
  "Resource": "*"
}

Permissions to delete a Lambda function

To delete a Lambda function, add the following permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionToDeleteFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
      ]
    }
  ]
}

To use the Lambda console to delete a function, add Lambda read access permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionsToViewFunctionsInConsole",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionToDeleteFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
      ]
    }
  ]
}

Permissions to view the configuration details of a Lambda function

To allow a user to view the configuration details of a Lambda function, add the following permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "ActionsWhichSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:ListTags",
        "lambda:TagResource",
        "lambda:GetFunctionConfiguration",
        "lambda:GetPolicy",
        "lambda:GetAlias",
        "lambda:ListVersionsByFunction",
        "lambda:ListAliases"
      ],
      "Resource": [
        "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
      ]
    },
    {
      "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:ListTags",
        "lambda:GetEventSourceMapping",
        "lambda:ListEventSourceMappings"
      ],
      "Resource": "*"
    }
  ]
}

Note: Based on the level of read access that you want to grant, you can add all the preceding permissions or only some of them. If you're using Lambda layers, then you can also add the lambda:GetLayerVersion or lambda:ListLayerVersions permissions.

To use the Lambda console to view the configuration details of a function, add the following permissions to the IAM policy:

{  "Sid": "PermissionsToViewFunctionsInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings"
  ],
  "Resource": "*"
}

The Lambda console uses tags on Lambda functions that allow you to filter Lambda functions by tag. To use the tags, add the following permissions to the IAM policy:

{  "Sid": "PermissionsToFilterFunctionsByTags",
  "Effect": "Allow",
  "Action": [
     "tag:GetResources"
  ],
  "Resource": "*"
}

The Lambda console displays details about the IAM role that's associated with a Lambda function and the resources that the function's role has access to. To view the details, add the following permissions to the IAM policy:

{  "Sid": "PermissionsToViewRolesAndPolicies",
  "Effect": "Allow",
  "Action": [
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:GetRolePolicy",
    "iam:ListRoles",
    "iam:ListRolePolicies",
    "iam:ListAttachedRolePolicies"
  ],
  "Resource": "*"
}

If you have additional requirements, then you might need to grant additional permissions to other AWS services.

Permissions to modify a Lambda function

To allow a user to modify a Lambda function, add the following permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "ActionsWhichSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:RemovePermission",
        "lambda:CreateAlias",
        "lambda:UpdateAlias",
        "lambda:DeleteAlias",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:PutFunctionConcurrency",
        "lambda:DeleteFunctionConcurrency",
        "lambda:PublishVersion",
        "lambda:UpdateFunctionEventInvokeConfig",
        "lambda:PutFunctionEventInvokeConfig"
      ],
      "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
    },
    {
      "Sid": "ActionsWhichSupportCondition",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateEventSourceMapping",
        "lambda:UpdateEventSourceMapping",
        "lambda:DeleteEventSourceMapping"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "lambda:FunctionArn": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
        }
      }
    },
    {
      "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:UntagResource",
        "lambda:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

Note: Based on the level of write access that you want to grant, you can add all the preceding permissions or only some of them.

To restrict access, add lambda:AddPermission and lambda:RemovePermission to a principal that's included in an attached policy. You can also restrict lambda:UpdateEventSourceMapping and lambda:DeleteEventSourceMapping to a specific event source mapping.

To use a customer managed key to encrypt environment variables, add the following AWS KMS permissions to the IAM policy:

{  "Sid": "PermissionsForCryptoOperations",
  "Effect": "Allow",
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:CreateGrant"
  ],
  "Resource": "arn:aws:kms:AWS_REGION:AWS_ACCOUNT_ID:key/KEY_ID"
},
{
  "Sid": "PermissionsToListExistingKeys",
  "Effect": "Allow",
  "Action": [
    "kms:ListKeys",
    "kms:ListAliases"
  ],
  "Resource": "*"
}

To use the Lambda console to modify a Lambda function's configurations, add the following permissions to the IAM policy:

{  "Sid": "PermissionsToViewFunctionsInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings"
  ],
  "Resource": "*"
}

Permissions to invoke a Lambda function

To manually invoke a Lambda function, add the following permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionToInvoke",
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
    }
  ]
}

To use the Lambda console to list Lambda functions, add the following permissions to the IAM policy:

{  "Sid": "PermissionsToViewFunctionsConfigInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings",
    "lambda:GetFunction",
    "lambda:ListTags"
  ],
  "Resource": "*"
}

To allow other services to invoke a Lambda function, use resource-based policies for Lambda. You can also use function policies to provide cross-account access to Lambda functions.

The following example policy allows a user from a different account to manually invoke a Lambda function:

{  "Version": "2012-10-17",  "Id": "default",
  "Statement": [
    {
      "Sid": "PermissionToInvoke",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::External_AWS_ACCOUNT_ID:user/IAM_USER_NAME"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
    }
  ]
}

Note: Replace External_AWS_ACCOUNT_ID with the account that you want to allow to invoke the function.

Permissions to monitor Lambda functions

To view Amazon CloudWatch metrics in the Monitoring tab of the Lambda console, add the following permissions to the IAM policy:

{  "Version": "2012-10-17",  "Statement": [
    {
      "Sid": "PermissionForCloudWatchMetrics",
       "Effect": "Allow",
       "Action": [
          "cloudwatch:GetMetricStatistics",
          "cloudwatch:GetMetricData"
        ],
        "Resource": "*"
     }
  ]
}

To grant permissions to specific CloudWatch metrics and CloudWatch Logs Insights, see Amazon CloudWatch permissions reference and CloudWatch Logs permissions reference.