I want to grant permissions to AWS Lambda functions in my AWS Serverless Application Model (AWS SAM) application. How do I define a Lambda execution role with scoped permissions in an AWS SAM template?
Short description
To define a Lambda execution role in an AWS SAM template, you can use the following AWS::Serverless::Function resource properties:
- Policies—Allow you to create a new execution role using predefined policies that can be scoped to your Lambda function.
- Role—Allows you to define an AWS Identity and Access Management (IAM) role to use as the function's execution role.
- PermissionsBoundary—Allows you to set an IAM permissions boundary for the execution role that you create.
Note: The Policies and Roles properties can't be used together. Using the Role property is helpful when your execution role requires permissions that are too specific to use predefined policies.
Resolution
Specify policies for a new Lambda execution role
For the Policies property, enter any combination of the following:
Note: AWS SAM policy templates are scoped to specific AWS resources. See Policy template table for a list of policy templates and the permissions that they give to your Lambda functions.
The following are some example AWS SAM YAML templates with Policies defined:
Example AWS SAM YAML template with an AWS managed policy named
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31' b
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Policies:
# Give the Lambda service access to poll your DynamoDB Stream
- AmazonDynamoDBFullAccess
Example AWS SAM YAML template with an AWS SAM policy template (SQSPollerPolicy) defined
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: ${codeuri}
Handler: hello.handler
Runtime: python2.7
Policies:
- SQSPollerPolicy:
QueueName:
!GetAtt MyQueue.QueueName
Example AWS SAM YAML template with an inline policy document defined
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
(Optional) Specify an IAM permissions boundary
To set the maximum permissions allowed for your Lambda function's execution role, use an IAM permissions boundary.
To set an IAM permissions boundary, do the following in your AWS SAM YAML template:
Specify the Amazon Resource Name (ARN) of a permissions boundary
For the PermissionsBoundary property, enter the ARN of a permissions boundary. For example:
Properties:
PermissionsBoundary: arn:aws:iam::123456789012:policy/LambdaBoundaries
Note: You can define PermissionsBoundary only if you're creating a new role with your AWS SAM template. You can't set a permissions boundary for an existing Role that you specify.
Specify a Lambda execution role
For the Role property, enter one of the following:
Note: If you don't specify a Role in your AWS SAM template, then an execution role is created when you deploy your application. This execution role includes any Policies that you define.
Example AWS SAM YAML template with the Role property defined
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Role: arn:aws:iam::111111111111:role/SAMPolicy
Package and deploy your application
1. In the AWS SAM command line interface (AWS SAM CLI), run the sam build command to build and package your application.
Note: If you receive errors when running the AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.
2. Run the sam deploy command to deploy your AWS SAM application package.
For more information, see Building applications and Deploying serverless applications.
Related information
Getting started with AWS SAM
AWS Serverless Application Model (AWS SAM) (AWS SAM GitHub repo)
Policy templates (AWS SAM GitHub repo)
Managed policies and inline policies
Validating AWS SAM template files