Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
What's the difference between Lambda function execution role permissions and invocation permissions?
I want to understand the differences between AWS Lambda function execution role permissions and invocation permissions. I also want to know how the two types of AWS Identity and Access Management (IAM) permissions for Lambda are different.
Resolution
Important: When you create IAM policies, it's a best practice to grant only the required permissions to perform a specific task.
Lambda function execution role permissions
Lambda execution role permissions are IAM permissions that grant a Lambda function permission to access specific AWS services and resources. When you don't grant your function execution role permissions for a service or resource, the function can't access the service or resource.
Grant execution role permissions
To grant Lambda execution role permissions, you list service-specific API actions, such as s3:GetObject or sns:Publish, in the Action element of an IAM policy statement. Then, you attach the policy to an IAM execution role that your Lambda function assumes when it's invoked.
For services that generate a queue or data stream, you must configure an event source mapping for Lambda to poll the queue or data stream. An event source mapping uses permissions in the function's execution role to read and manage items in the event source.
Note: Permissions, event structures, settings, and polling behavior vary by event source. For an example IAM policy that includes Lambda polling permissions, see IAM policy to allow an AWS Lambda function to access Amazon DynamoDB stream records.
Lambda function invocation permissions
Lambda function invocation permissions are IAM permissions that grant a specific service or resource permission to invoke a Lambda function. When you don't grant a service or resource invocation permission for your Lambda function, the service or resource can't invoke your function.
Important: You must grant invocation permission to services that push event sources to the Lambda function. For example, use the function's resource-based policy to grant Amazon API Gateway permission to invoke a Lambda function.
Grant invocation permissions
To grant Lambda invocation permissions, you list the lambda:InvokeFunction API action in the Action element of a Lambda function's IAM resource-based policy statement. You configure the Lambda function's resource-based policy separately from the function's execution role.
Note: In this case, the lambda:InvokeFunction action identifier is different from the Invoke API operation. For other actions, the action identifier is the operation name with the lambda: prefix.
When you use the Lambda console to add a trigger to your function, the required invocation permissions are automatically added to the function's resource-based policy. To grant permissions to AWS accounts or services that aren't available in the console, you must use the Lambda AddPermission API action.
For more information, see Granting Lambda function access to AWS services.
Related information
- Topics
- ServerlessCompute
- Tags
- AWS Lambda
- Language
- English
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
