We have micro-service architecture. Each micro-service consist of more than 10+ lambda functions.
In some of lambda function we want to use AWS SDK to access several AWS services like,
There are several ways to do so, as suggested in some of articles,
- Create IAM role each service wise (It will have access to specific service only E.g S3)
- Create separate IAM role per lambda wise with specific access needed
- Create IAM user and permanent access via Secret/Access keys with specific access each service wise
We approx have 500+ lambda function in our application. We need assistance/suggestion to identify best way to access AWS services from lambda considering security and other impacting factors like performance etc.
Not each lambda requires this access but few specific ones only. But that number is more than 50+ for sure.
So, creating separate Role/Access/Secret key would have few challenges like,
- We need access of more than one service in some of the lambda function (E.g S3 and/or SQS and/or SES etc.) so for each combination we might have to create separate IAM User/Role for same
- As we can not modify access policy of existing IAM User/Role which can allow same access to other lambdas too which is using same IAM Role/User to access specific service
So, what would be best approach to access AWS services for our use case? Also, please suggest if there is other way to do so.
Thanks in advance!!
Thanks for your reply.
Yes, we are having multiple SQS and S3 bucket etc. in our application and we need to access them from lambda functions.
If we consider the least privilege principal, and create an IAM Role per function then in such case we will not be able to re-use existing role created for same access in other lambda function. For E.g, We have lambda A and lambda B For lambda A (We provide access to SQS push and S3 read) using separate role function wise For lambda B (We also requires same access of SQS push and S3 read considering same queue and bucket) Then, Will be able to use role created to lambda A for lambda B? Or it would be fine to create different role for both lambda with same kind of access permission?
Regarding infrastructure as code we use 'CloudFromation', which I forgot to mention in my question details actually.
Even though both function TODAY need the same permissions, things can change in the future. I would still recommend to use one role per function.
If you make sure to create the roles in the same stack you create your functions, it make management of the roles easier. Also, if you use the Serverless Application Model (SAM) instead of using CloudFormation directly, you can define the role as part of the function definition itself.
Thanks for your valuable response on helping us to identify best approach based on our use case.