Viewing resource-based IAM policies in Lambda (original) (raw)
Lambda supports resource-based permissions policies for Lambda functions and layers. You can use resource-based policies to grant access to other AWS accounts, organizations, or services. Resource-based policies apply to a single function, version, alias, or layer version.
Console
To view a function's resource-based policy
- Open the Functions page of the Lambda console.
- Choose a function.
- Choose Configuration and then choose Permissions.
- Scroll down to Resource-based policy and then choose View policy document. The resource-based policy shows the permissions that are applied when another account or AWS service attempts to access the function. The following example shows a statement that allows Amazon S3 to invoke a function named
my-functionfor a bucket namedamzn-s3-demo-bucketin account123456789012.
Example resource-based policy
{
"Version":"2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "lambda-allow-s3-my-function",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456789012"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket"
}
}
}
]
} AWS CLI
To view a function's resource-based policy, use the get-policy command.
aws lambda get-policy \
--function-name my-function \
--output textYou should see the following output:
{"Version":"2012-10-17", "Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-2:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]}
For versions and aliases, append the version number or alias to the function name.
aws lambda get-policy --function-name my-function:PRODTo remove permissions from your function, use remove-permission.
aws lambda remove-permission \
--function-name example \
--statement-id snsUse the get-layer-version-policy command to view the permissions on a layer.
aws lambda get-layer-version-policy \
--layer-name my-layer \
--version-number 3 \
--output textYou should see the following output:
b0cd9796-d4eb-4564-939f-de7fe0b42236 {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"
Use remove-layer-version-permission to remove statements from the policy.
aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-orgSupported API actions
The following Lambda API actions support resource-based policies:
- CreateAlias
- DeleteAlias
- DeleteFunction
- DeleteFunctionConcurrency
- DeleteFunctionEventInvokeConfig
- DeleteProvisionedConcurrencyConfig
- GetAlias
- GetFunction
- GetFunctionConcurrency
- GetFunctionConfiguration
- GetFunctionEventInvokeConfig
- GetPolicy
- GetProvisionedConcurrencyConfig
- Invoke
- InvokeFunctionUrl (permission only)
- ListAliases
- ListFunctionEventInvokeConfigs
- ListProvisionedConcurrencyConfigs
- ListTags
- ListVersionsByFunction
- PublishVersion
- PutFunctionConcurrency
- PutFunctionEventInvokeConfig
- PutProvisionedConcurrencyConfig
- TagResource
- UntagResource
- UpdateAlias
- UpdateFunctionCode
- UpdateFunctionEventInvokeConfig
Layer access
Function access for AWS services
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.