What's the difference between Lambda function execution role permissions and invocation permissions?

3 minute read

I want to understand the differences between AWS Lambda function execution role permissions and invocation permissions. How are the two types of AWS Identity and Access Management (IAM) permissions for Lambda different?


Important: When you create IAM policies, it's a best practice to grant only the permissions required to perform a specific task. For more information, see Grant least privilege in the IAM User Guide.

Lambda function execution role permissions

Lambda execution role permissions are IAM permissions that grant a Lambda function permission to access specific AWS Cloud services and resources. If you don't grant your function execution role permissions for an AWS Cloud service or resource, then the function can't access that service or resource.

Important: For Lambda functions that poll other AWS Cloud services, execution role permissions that allow the function to retrieve records from those services are required.

How execution role permissions are granted

Lambda execution role permissions are given in the form of specific API action identifiers (for example, s3:GetObject). These action identifiers are listed in the Action element of an IAM policy statement. The policy is then attached to an IAM role called an execution role that your Lambda function assumes whenever it's invoked.

For services that generate a queue or data stream, you must configure an event source mapping to have Lambda poll the queue or data stream. An event source mapping uses permissions in the function's execution role to read and manage items in the event source.

Note: Permissions, event structure, settings, and polling behavior vary by event source. For an example IAM policy that includes Lambda polling permissions, see IAM policy to allow an AWS Lambda function to access DynamoDB stream records.

Lambda function invocation permissions

Lambda function invocation permissions are IAM permissions that grant a specific AWS Cloud service or resource permission to invoke a Lambda function. If you don't grant a service or resource invocation permissions for your Lambda function, that service or resource can't invoke your function.

Important: For Lambda function's that are invoked by AWS Cloud services that push event sources to the function, invocation permissions are required.

How invocation permissions are granted

Lambda invocation permissions are given in the form of a specific API action identifier: lambda:InvokeFunction. This action identifier is listed in the Action element of a Lambda function's IAM resource-based policy statement. A Lambda function's resource-based policy is configured separately from the function's execution role.

Note: This is a special case where the action identifier (lambda:InvokeFunction) is different than the API operation (Invoke). For other actions, the action identifier is the operation name prefixed by lambda:.

When you use the Lambda console to add a trigger to your function, the required invocation permissions are added to the function's resource-based policy automatically. To grant permissions to accounts or services that aren't available in the console, you must use the Lambda AddPermission API action.

For more information, see Granting function access to AWS services.

Related information

AWS Lambda permissions

Applying the principles of least privilege (Lambda Operator Guide)

AWS OFFICIALUpdated a year ago