Add role as CloudFormation template in serverless yml

Question

I am trying to invoke a lambda from another, following the example from this answer:

Nodejs - Invoke an AWS.Lambda function from within another lambda function

The answer says that both lambda functions should have AWSLambdaExecute and AWSLambdaBasicExecutionRole permissions.

Using Serverless, how can I add these 2 roles to a CloudFormation template in serverless.yml?

Answer 1

According to the Serverless IAM documentation,

By default, one IAM Role is shared by all of the Lambda functions in your service. An IAM Policy is also created and is attached to that Role. Also by default, your Lambda functions have permission create and write to CloudWatch logs, and if you have specified VPC security groups and subnets for your Functions to use then the EC2 rights necessary to attach to the VPC via an ENI will be added into the default IAM Policy.

To add specific rights to this service-wide Role, define statements in provider.iamRoleStatements which will be merged into the generated policy.

To invoke a Lambda function from another function, you just need to add the "lambda:InvokeFunction" action to the existing IAM permissions Serverless already provides. So an example serverless.yml service should have a iamRoleStatements section that looks like this:

service: new-service

provider:
  name: aws
  iamRoleStatements:
    -  Effect: "Allow"
       Action:
         - "lambda:InvokeFunction"
       Resource:
         - "*"

In reference to the other answer cited:

• the AWSLambdaBasicExecutionRole managed policy is already covered by the default Serverless policy;
• the AWSLambdaExecute is the incorrect name for the managed policy required (that one only provides S3 get/put access, not InvokeFunction); the answer probably meant AWSLambdaRole, which provides the "lambda:InvokeFunction" permission.