Reputation: 443
Variable in AWS IAM role to grant permissions to Lambda function
I am trying to figure out if it is possible to design an AWS IAM role that would dynamically grant permission to resource based on the name of the calling resource. For example I currently have a role that grants a Lambda function permission to create and write CloudWatch logs, which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CWLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
}
}
I am wondering if there is a way to substitute the string MyLambdaFunction for the name of the calling Lambda function using some ${aws:NameOfTheLambdaFunction} variable, so that I can have a generic policy allowing functions to write only to their specific CW log groups that I can attach to different Lambda roles - with the resource statement looking like: "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/${aws:NameOfTheLambdaFunction}*"
Is something like this possible?
Upvotes: 0
Views: 617
Answers (1)
Reputation: 23602
You're referring to an IAM policy variable which provides you the name of the calling Lambda function.
Unfortunately, this policy variable does not currently exist and so this isn't possible.
Upvotes: 1
Related Questions
- AWS lambda set function access policy programmatically
- How to make a role assumable by given lambda function?
- How to grant full access to just one Lambda function
- Policy to allow lambda:InvokeFunction to an IAM Assumed Role
- How to wildcard aws lambda function permission in resource
- Permission for IAM user to create lambda function
- Cross account role for an AWS Lambda function
- Running an AWS Lambda function Under Different IAM Roles
- The proper AWS managed policy to attach an IAM Role to execute Lambda Functions
- IAM Roles Assume Role Permission