How can I use resource-based policies with AWS Lambda to grant permission to AWS services?

Last updated: 2021-09-27

I want to use resource-based policies for AWS Lambda to grant permission to AWS services.

Short description

You can use the AWS Command Line Interface (AWS CLI) with Lambda to grant permission to AWS services using resource-based policies. For more information, see Using resource-based policies for AWS Lambda.

Resolution

The following example adds permission for an Amazon CloudWatch event, and validates that the Lambda function invokes the resource-based policy.

Note:

Confirm that the Lambda function doesn't have a resource policy configured

Some AWS services like CloudWatch create a resource-based policy for the Lambda function. Verify that the resource-based policy doesn't have permission for the CloudWatch event with the AWS CLI command get-policy similar to the following:

aws lambda get-policy --region your-region --function-name your-function

An error occurred (ResourceNotFoundException) when calling the GetPolicy operation: The resource you requested does not exist.

This error confirms that the Lambda function doesn't have a resource-based policy configured.

Add permissions for the CloudWatch event

Run the AWS CLI command add-permission to invoke the Lambda function similar to the following:

aws lambda add-permission --region your-region --function-name your-function --statement-id "your-event-permission" --action "lambda:InvokeFunction" --principal "events.amazonaws.com" --source-arn "arn:aws:events:your-region:xxxxxxxxxxxxx:rule/your-event"

{
    "Statement": "{\"Sid\":\"your-event-permission\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"events.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:your-region:xxxxxxxxxxxxx:function:your-function\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:events:your-region:xxxxxxxxxxxxx:rule/your-event\"}}}"
}

Verify permissions for the Lambda function resource-based policy

Run the AWS CLI command get-policy again similar to the following:

aws lambda get-policy --region your-region --function-name your-function

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "your-event-permission",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:your-region:xxxxxxxxxxxxx:function:your-function",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:events:your-region:xxxxxxxxxxxxx:rule/your-event"
        }
      }
    }
  ]
}

(Optional) Remove permission from a Lambda function resource-based policy

If you no longer need an AWS service to trigger the Lambda function, you can run the AWS CLI command remove-permission similar to the following:

aws lambda remove-permission --region your-region --function-name your-function --statement-id "your-event-permission"

Note: The Lambda function resource-based policy quota is 20 KB. For more information, see Lambda quotas.


Did this article help?


Do you need billing or technical support?