CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-lambdaamazon-iam
Cherry
Cherry

Reputation: 33618

How apply caller IAM policy to lambda function execution?

Let say that there is a lambda function that has IAM policy with access to s3://my-bucket/users/. And this function is invoked by user Bob which has IAM policy access to s3://my-bucket/users/bob. Is there a way to "merge" or apply policy from Bob user to lambda function to restrict access? For example, if Bob passes the folder name Alice lambda function fails when tries to access s3://my-bucket/users/alice.

Any ideas?

Upvotes: 0

Views: 321

Answers (2)

Hammad Akhtar
Hammad Akhtar

Reputation: 327

I see this as an authorization problem which requires a custom authorization module.

One way to this problem is as follows

  1. Only AWS Lambda has programmatic access to the S3 bucket s3://my-bucket/users/.
  2. Let's assume that user Bob is authenticated and has an authentication token.
  3. Bob invokes the AWS Lambda with authentication token as part of request along with the S3 file they want to access.
  4. AWS Lambda validates the authentication token.
  5. Application maintains which S3 suffix of the S3 bucket s3://my-bucket/users/ are fully accessible by a user in a data base.
  6. Let's assume Bob can access following suffixes /bob and /admin.
  7. After authentication, AWS Lambda has an authorization library which queries the data base for authorized prefixes.
  8. If Bob is trying to access s3://my-bucket/users/bob/personalDetaills.json or s3://my-bucket/users/admin/employeeDetails.json then request is approved and record is fetched. Request is approved because Bob is authorized for /bob and /admin suffixes.
  9. If Bob is trying to access s3://my-bucket/users/alice then a user not authorized error is thrown.

Upvotes: 0

John Rotenstein
John Rotenstein

Reputation: 270104

No.

The Lambda function will run with permissions from the IAM Role that is associated with the function itself, regardless of who or what triggered the function.

One option would be for Bob to pass a set of credentials to the function when it is invoked (as parameters that will come through to the function in the event), and then have the Lambda function use those credentials. However, this is a highly unusual thing to do.

Upvotes: 1

Related Questions