Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Lambda Alias in Role Policy

0

Is there a way to design a Lambda execution role policy to restrict access by using Lambda alias name. For example, I want to have an alias "Prod" and only executions of function with that alias would have permissions to write to a particular bucket. I tried using the new lambda:SourceFunctionArn condition, but it does not seem to include the alias, or I am not using it correctly. In the example below I am trying to achieve ability of all variants of my function to write into my-bucket-test, but only Prod alias to be able to write to my-bucket-data. Is there a way to achieve this?

{
	"Version": "2012-10-17",
	"Statement": [{
			"Sid": "Logging",
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:CreateLogStream",
				"logs:PutLogEvents"
			],
			"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambda_*"
		},
		{
			"Sid": "S3",
			"Effect": "Allow",
			"Action": "s3:PutObject",
			"Resource": [
				"arn:aws:s3:::my-bucket-test/*"
			]
		},
		{
			"Sid": "S3Prod",
			"Effect": "Allow",
			"Action": "s3:PutObject",
			"Resource": "arn:aws:s3:::my-bucket-data/*",
			"Condition": {
				"StringLike": {
					"lambda:SourceFunctionArn": "*Prod"
				}
			}
		}
	]
}

Thanks, Alex

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAWS Lambda
Language
English
asked 3 years ago1K views
1 Answer
0

I don't think that condition is available in that context.

As an alternative, could you tag (environment=prod) the role that is assigned the the Lambda functions with Prod alias. Then use the "aws:PrincipalTag" to control access to the operation/object

     "Sid": "S3Prod",
     "Effect": "Allow",
     "Action": "s3:PutObject",
     "Resource": "arn:aws:s3:::my-bucket-data/*",
     "Condition": {
          "StringEquals": { "aws:PrincipalTag/environment": "prod"   }
      }
AWS
EXPERT
answered 3 years ago
  • madman6886
    3 years ago

    I think the condition is available because access is granted if I do something like

    "StringLike": {"lambda:SourceFunctionArn": "*MyLambda*"}

    it does match, but it seems to me that lambda:SourceFunctionArn is literally the function arn without any version/alias suffixed to it...

    I was looking at the tags as well, but the tags are only applied at the un-aliased function, and there doesn't seem to be a way to add a tag to a function alias - at least I don't see it in the console.

  • kentrad EXPERT
    3 years ago

    Yes, and aliases/version don't have their own role, sorry. Have you tried this: "lambda:SourceFunctionArn": ":Prod"? Or "lambda:SourceFunctionArn": ":<function-name>:Prod"?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content