How do I give permissions to my Lambda functions by using policies and roles in AWS SAM templates?
Last updated: 2020-10-12
I want to give permissions to AWS Lambda functions in my AWS Serverless Application Model (AWS SAM) application. How do I set a Lambda execution role with scoped permissions in my AWS SAM templates?
Short description
In your AWS SAM templates, use an AWS::Serverless::Function resource's Policies or Role property, along with PermissionsBoundary, to define a Lambda execution role and its permissions.
Note: AWS SAM templates are similar to AWS CloudFormation templates. Any resource that you can declare in an AWS CloudFormation template can also be declared in an AWS SAM template. For more information, see AWS SAM template anatomy.
Use Policies to create a new execution role with permissions that are uniquely scoped to your Lambda function. Optionally, you can also use PermissionsBoundary to set an AWS Identity and Access Management (IAM) permissions boundary for the newly created role.
If your use case requires an execution role with permissions that are too specific to use predefined policies, then use Roles instead.
Note: The Policies and Roles properties can't be used together.
Resolution
Specify policies for a new Lambda execution role
For the Policies property, enter any combination of the following:
- The name of an AWS managed policy
- The name of an AWS SAM policy template
- An inline policy document
Note: AWS SAM policy templates are scoped to certain AWS resources. See Policy template table for a list of policy templates and the permissions that they give to your Lambda functions.
Here are some example AWS SAM YAML templates with Policies defined:
Example with an AWS managed policy named:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31' b
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Policies:
# Give DynamoDB Full Access to your Lambda Function
- AmazonDynamoDBFullAccess
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: ${codeuri}
Handler: hello.handler
Runtime: python2.7
Policies:
- SQSPollerPolicy:
QueueName:
!GetAtt MyQueue.QueueName
Example with an inline policy document:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
(Optional) Specify an IAM permissions boundary
If you want to set the maximum permissions allowed for your Lambda function's execution role, use an IAM permissions boundary. In your AWS SAM YAML template, for the PermissionsBoundary property, enter the Amazon Resource Name (ARN) of a permissions boundary. For example:
Properties:
PermissionsBoundary: arn:aws:iam::123456789012:policy/LambdaBoundaries
Note: You can define PermissionsBoundary only if you're creating a new role with your AWS SAM template. You can't set a permissions boundary for an existing Role that you specify.
Specify a Lambda execution role
For the Role property, enter either of the following:
- The ARN of a Lambda execution role that has an IAM permissions policy attached.
- A reference to a Role resource that you've defined in the same AWS SAM template.
Note: If you don't specify a Role in your AWS SAM template, then an execution role with any Policies that you define is created when you deploy your application.
Here's an example AWS SAM YAML template with Role defined:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Role: arn:aws:iam::111111111111:role/SAMPolicy
Package and deploy your application
After defining Lambda function permissions in your AWS SAM template, do the following:
- In the AWS SAM command line interface (AWS SAM CLI), use the sam build command to build and package your application.
Note: If you receive errors when running the AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. - Use the sam deploy command to deploy your AWS SAM application package.
For more information, see Building applications and Deploying serverless applications.
Related information
AWS Serverless Application Model (AWS SAM) (AWS SAM GitHub repo)
Policy templates (AWS SAM GitHub repo)
Did this article help?
Do you need billing or technical support?