Reputation: 189
How to add a resource based policy to a lambda using AWS SAM
I want to create a deployment script for some lambda functions using AWS SAM. Two of those functions will be deployed into one account(account A) but will be triggered by an s3 bucket object creation event in a second account(account B). From what I know the only way to do this is by using adding a resource based policy to my lambda. But I don't know how to do that in AWS SAM. My current yaml file looks like this.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
deploy-test-s3-triggered-lambda
Parameters:
AppBucketName:
Type: String
Description: "REQUIRED: Unique S3 bucket name to use for the app."
Resources:
S3TriggeredLambda:
Type: AWS::Serverless::Function
Properties:
Role: arn:aws:iam::************:role/lambda-s3-role
Handler: src/handlers/s3-triggered-lambda.invokeAPI
CodeUri: src/handlers/s3-triggered-lambda.js.zip
Runtime: nodejs10.x
MemorySize: 128
Timeout: 60
Policies:
S3ReadPolicy:
BucketName: !Ref AppBucketName
Events:
S3NewObjectEvent:
Type: S3
Properties:
Bucket: !Ref AppBucket
Events: s3:ObjectCreated:*
AppBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref AppBucketName
What do I need to add to this yaml file in order to tie a resource based policy that allows for cross account access to my lambda function?
Upvotes: 6
Views: 4159
Answers (4)
Reputation: 21
This can be done within the template.yaml file by adding a AWS::Lambda::Permission resource. Mirroring the example in the accepted answer:
Resources:
...
CrossAccountInvocationPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: FunctionName
Principal: arn:aws:iam::111111111111:role/rolename
Upvotes: 2
Reputation: 6340
This can be done achieved with the help of AWS::Lambda::Permission using aws_cdk.aws_lambda.CfnPermission.
For example, to allow your lambda to be called from a role in another account, add the following to your CDK:
from aws_cdk import aws_lambda
aws_lambda.CfnPermission(
scope,
"CrossAccountInvocationPermission",
action="lambda:InvokeFunction",
function_name="FunctionName",
principal="arn:aws:iam::111111111111:role/rolename",
)
Upvotes: 0
Reputation: 1
Don't think cross account s3 event is possible with SAM, may need to go back to CFN.
Upvotes: -1
Reputation: 6246
If your bucket and your Lambda function exist in separate accounts I don't know if it's possible to modify both of them from SAM / a single CloudFormation template.
Upvotes: 0
Related Questions
- How can i add more policies to my Lambda if there is a Statement?
- How can I provide resource-based policy in my lambda via serverles.yml?
- AWS SAM - Apply policy template for a resource created conditionally
- How to add Policies to AWS Lambda function using the .yaml file?
- How to add a resource based policy to a Lambda function created using AWS SAM via AWS CDK?
- How to provide Lambda S3 policy via AWS SAM
- Add inline policy to aws SAM template
- How can a policy be assigned to AWS resource?
- Not able to add policies in SAM template
- How to write a policy in .yaml for a python lambda to read from S3 using the aws sam cli