Add dynamo db access permission to lambda function in cdk
0
I have a lambda function which write data to and read data from dynamo db. I want to add resource based policy to lambda function. But I couldn't find any relevant method in the cdk. Though I found function.addPermission method, it provides permissions to other AWS services to invoke this lambda.
asked 15 days ago43 views
2 Answers
1
Accepted Answer
For this you can use the add_role_to_policy function:
from aws_cdk import aws_lambda as _lambda
from aws_cdk.aws_lambda_python import PythonFunction
from aws_cdk import aws_iam as iam
my_function = PythonFunction(
#function logic
)
my_function.add_to_role_policy(iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'dynamodb:GetItem',
],
resources=[
'TABLE_ARN',
],
))
The above policy uses Python and grants the Lambda GetItem permissions on the DynamoDB table which ARN you provide.
More info can be found here
answered 14 days ago
1
In general, it is recommended to use the grant function rather than granting permission directly from the cdk. for example,
const lambdaFunc = new lambda.Function(....); const ddbTable = new ddb.Table(...); ddbTable.grantReadData(lambdaFunc); ddbTable.grantReadWriteData(lambdaFunc);
answered 13 days ago
Relevant questions
Can lambda know the specific attribute which changed in the dynamo db table update, when a lambda is triggered by dynamo db table update item??
asked 4 months agoError connecting to Aurora PostgreSQL dB in .NET Core Lambda function.
asked 4 months agoHow to add python libraries to lambda using the CDK?
Accepted Answerasked 2 years agoHow to export environment variables from a Lambda function.
asked 2 months agoScheduling local lambda function
asked a year agoDeploy Lambda Function and API Gateway REST
asked 5 months agoUsing AWS Lambda to run Python script, how can I save data?
Accepted Answerasked 3 years ago403 creating java lambda function
asked 5 months agoAdd dynamo db access permission to lambda function in cdk
Accepted Answerasked 15 days agoLambda to Dynamo Write: Intermittently missing batch data
asked 2 months ago
Where is this recommended? It seems its not as granular as adding a policy to the function where you can refine the permission policy to API/Resource? Instead, your example allows all API's against the table which is quite permissive.
If you were to use this approach it would be best if you use the
grantStream(grantee, ...actions)function where you can be more restrictive with your permissions.