- Newest
- Most votes
- Most comments
AWS Lambda and many other AWS services support** resource-based permission policies**. Resource-based policies let you grant usage permission to other AWS Services or accounts on a per-resource basis. You also use a resource-based policy to allow an AWS service to invoke your function on your behalf.
When we use console to build the environment some resources are automatically created to make it easier for us. It is opposite when we build it via terraform/CloudFormation/CDK/SDK or CLI, every single resource must be defined in the code.
Example AWS Lambda resource-based policy:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "nodejs-apig-functiongetEndpointPermissionProd-BWDBXMPLXE2F",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-2:111122223333:function:nodejs-apig-function-1G3MXMPLXVXYI",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:execute-api:us-east-2:111122223333:ktyvxmpls1/*/GET/"
}
}
}
]
Terraform resource for AWS Lambda resource-based permission policy is called aws_lambda_permission. So you can check if this resource exists it the current terraform code that you use. If not you can add it and properly configured.
Example configuration:
resource "aws_api_gateway_rest_api" "MyDemoAPI" {
name = "MyDemoAPI"
description = "This is my API for demonstration purposes"
}
resource "aws_lambda_permission" "lambda_permission" {
statement_id = "AllowMyDemoAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "MyDemoFunction"
principal = "apigateway.amazonaws.com"
# The /*/*/* part allows invocation from any stage, method and resource path
# within API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.MyDemoAPI.execution_arn}/*/*/*"
}
For more information:
Relevant content
- asked a year ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
Thanks for the detailed answer!
I have tried this approach and when I used the "///*" suffix the permissions failed. It wrote me that there is no such path. Any idea?