How do I give permissions to my Lambda functions by using policies and roles in AWS SAM templates?

Last updated: 2020-10-12

I want to give permissions to AWS Lambda functions in my AWS Serverless Application Model (AWS SAM) application. How do I set a Lambda execution role with scoped permissions in my AWS SAM templates?

Short description

In your AWS SAM templates, use an AWS::Serverless::Function resource's Policies or Role property, along with PermissionsBoundary, to define a Lambda execution role and its permissions.

Note: AWS SAM templates are similar to AWS CloudFormation templates. Any resource that you can declare in an AWS CloudFormation template can also be declared in an AWS SAM template. For more information, see AWS SAM template anatomy.

Use Policies to create a new execution role with permissions that are uniquely scoped to your Lambda function. Optionally, you can also use PermissionsBoundary to set an AWS Identity and Access Management (IAM) permissions boundary for the newly created role.

If your use case requires an execution role with permissions that are too specific to use predefined policies, then use Roles instead.

Note: The Policies and Roles properties can't be used together.

Resolution

Specify policies for a new Lambda execution role

For the Policies property, enter any combination of the following:

The name of an AWS managed policy
The name of an AWS SAM policy template
An inline policy document

Note: AWS SAM policy templates are scoped to certain AWS resources. See Policy template table for a list of policy templates and the permissions that they give to your Lambda functions.

Here are some example AWS SAM YAML templates with Policies defined:

Example with an AWS managed policy named:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31' b
Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: 's3://my-bucket/function.zip'
      Policies:
      # Give DynamoDB Full Access to your Lambda Function
      - AmazonDynamoDBFullAccess

Example with an AWS SAM policy template (SQSPollerPolicy) defined:

MyFunction:
  Type: 'AWS::Serverless::Function'
  Properties:
    CodeUri: ${codeuri}
    Handler: hello.handler
    Runtime: python2.7
    Policies:
      - SQSPollerPolicy:
          QueueName:
            !GetAtt MyQueue.QueueName

Example with an inline policy document:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: 's3://my-bucket/function.zip'
      Policies:
      - Statement:
        - Sid: SSMDescribeParametersPolicy
          Effect: Allow
          Action:
          - ssm:DescribeParameters
          Resource: '*'
        - Sid: SSMGetParameterPolicy
          Effect: Allow
          Action:
          - ssm:GetParameters
          - ssm:GetParameter
          Resource: '*'

(Optional) Specify an IAM permissions boundary

If you want to set the maximum permissions allowed for your Lambda function's execution role, use an IAM permissions boundary. In your AWS SAM YAML template, for the PermissionsBoundary property, enter the Amazon Resource Name (ARN) of a permissions boundary. For example:

Properties:
      PermissionsBoundary: arn:aws:iam::123456789012:policy/LambdaBoundaries

Note: You can define PermissionsBoundary only if you're creating a new role with your AWS SAM template. You can't set a permissions boundary for an existing Role that you specify.

Specify a Lambda execution role

For the Role property, enter either of the following:

The ARN of a Lambda execution role that has an IAM permissions policy attached.
A reference to a Role resource that you've defined in the same AWS SAM template.

Note: If you don't specify a Role in your AWS SAM template, then an execution role with any Policies that you define is created when you deploy your application.

Here's an example AWS SAM YAML template with Role defined:

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources: 
  MyFunction:
    Type: 'AWS::Serverless::Function' 
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      CodeUri: 's3://my-bucket/function.zip' 
      Role: arn:aws:iam::111111111111:role/SAMPolicy

Package and deploy your application

After defining Lambda function permissions in your AWS SAM template, do the following:

In the AWS SAM command line interface (AWS SAM CLI), use the sam build command to build and package your application.
Note: If you receive errors when running the AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Use the sam deploy command to deploy your AWS SAM application package.

For more information, see Building applications and Deploying serverless applications.

Related information

Getting started with AWS SAM

AWS Serverless Application Model (AWS SAM) (AWS SAM GitHub repo)

Policy templates (AWS SAM GitHub repo)

Managed policies and inline policies

Validating AWS SAM template files

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support