Reputation: 1
Lambda - How to create customer managed policy?
Background:
IAM policies can be created in two ways:
Managed policies(newer way)
- AWS managed policies
- Customer managed policies
Inline policies(older way)
Below SAM template is creating inline policy:
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Policies:
- Statement:
- Sid: AccessToS3Policy
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::some-bucket/*'
in the resultant role, as shown below:
{
"roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
"policies": [
{
"document": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectACL"
],
"Resource": "arn:aws:s3:::some-bucket/*",
"Effect": "Allow",
"Sid": "AccessToS3Policy"
}
]
},
"name": "HelloWorldFunctionRolePolicy0",
"type": "inline"
},
.....
]
}
In case of Lambda function,
1) How to create Customer managed policy?
2) How inline policy different from Customer managed policy?
Upvotes: 0
Views: 898
Answers (1)
Reputation: 14462
If you are using this syntax in your SAM template
Policies:
- Statement:
- Sid: AccessToS3Policy
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::some-bucket/*'
It will automatically create inline policy. If you want to create customer managed policy instead of inline policy then you need to define the policy as a separate Resource in you template and reference it in policies. Or you can create the role outside of the template (e.g. via AWS console) and reference that policy, in the same way you would reference AWS managed policy.
How inline policy different from Customer managed policy?
I wouldn't really say that inline policy is the old way of doing things. The only difference between inline policy and customer managed policy is that inline policy cannot be reused (you cannot assign inline policy to two or more entities). But this can often be handy if you need a specific policy that you are not planning to reuse in future.
Upvotes: 3
Related Questions
- Setting AWS Lambda as Principal in Permission Policy
- Give AWS Lambda an AWS Managed Policy with CDK
- Serverless Lambda Resource Based Policy - All Principles
- Giving access to AWS Lambda service with limited policy
- Setting up Lambda IAM Policy to access Cognito
- How to attach a managed policy to a lambda function in serverless framework
- Serverless - How to create a standalone customer managed policy through serverless
- Create IoT Policy with AWS Lambda
- Setting up Lambda to Create AWS CloudFormation without IAM Policy
- The proper AWS managed policy to attach an IAM Role to execute Lambda Functions