2 回答
- 最新
- 投票最多
- 评论最多
2
In general, it is recommended to use the grant function rather than granting permission directly from the cdk. for example,
const lambdaFunc = new lambda.Function(....); const ddbTable = new ddb.Table(...); ddbTable.grantReadData(lambdaFunc); ddbTable.grantReadWriteData(lambdaFunc);
已回答 2 年前
1
For this you can use the add_role_to_policy
function:
from aws_cdk import aws_lambda as _lambda
from aws_cdk.aws_lambda_python import PythonFunction
from aws_cdk import aws_iam as iam
my_function = PythonFunction(
#function logic
)
my_function.add_to_role_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'dynamodb:GetItem',
],
resources=[
'TABLE_ARN',
],
))
The above policy uses Python and grants the Lambda GetItem
permissions on the DynamoDB table which ARN you provide.
More info can be found here
Where is this recommended? It seems its not as granular as adding a policy to the function where you can refine the permission policy to API/Resource? Instead, your example allows all API's against the table which is quite permissive.
If you were to use this approach it would be best if you use the
grantStream(grantee, ...actions)
function where you can be more restrictive with your permissions.