stackoom
  简体   繁体   中英

Specifying a custom role for lambda with the AWS CDK

 原文  2018-10-03 23:21:30       node.js/ amazon-web-services/ aws-lambda/ aws-cdk

Question

I realize it's pretty new but I don't see any examples in any language how you would specify a role for the lambda created with the AWS CDK.

I was attempting to do this

const cdk       = require('@aws-cdk/cdk');
const lambda    = require('@aws-cdk/aws-lambda');
const iam       = require('@aws-cdk/aws-iam');

const path      = require('path');

class MyStack extends cdk.Stack {
    constructor (parent, id, props) {
            super(parent, id, props);

            //
            // Create a lambda...
            const fn = new lambda.Function(this, 'MyFunction-cdktest', {
                runtime: lambda.Runtime.NodeJS810,
                handler: 'index.handler',
                code: lambda.Code.directory( path.join( __dirname, 'lambda')),
                role: iam.RoleName('lambda_basic_execution')
            });

    }
}

class MyApp extends cdk.App {
        constructor (argv) {
                super(argv);

                new MyStack(this, 'hello-cdk');
        }
}

console.log(new MyApp(process.argv).run());

in order to try and specify an existing IAM role for the function but that doesn't seem to be correct syntax. I also would be ok with ( or maybe even prefer ) to generate the custom role on the fly specific to this lambda but I didn't see any examples on how to do that either.

Does anyone have any insight on how to accomplish this?

6 answers

solution1
 25 ACCPTED  2018-10-04 19:29:16

A Lambda already comes with an execution role, and it already has the basic execution permissions. If you want to add additional permissions to the role it has, do something like the following:

lambda.addToRolePolicy(new cdk.PolicyStatement()
   .addResource('arn:aws:....')
   .addAction('s3:GetThing'));

Or better yet, use one of the convenience functions for permissions on some resources:

bucket.grantRead(lambda.role);

solution2
 14  2020-05-15 22:04:10

Even though the lambda comes with an IAM role, you can create a custom role for the lambda. You just have to make sure to assign correct minimum required permissions to it.

You can create a role like this:

    const customRole = new Role(this, 'customRole', {
                    roleName: 'customRole',
                    assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
                    managedPolicies: [
                        ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaVPCAccessExecutionRole"),
                        ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole")
                    ]
                })

If the lambda does not need to be in a VPC you can skip AWSLambdaVPCAccessExecutionRole.

And to assign this role to the lambda function:

const lambda = new lambda.Function(this, 'lambda', {
                runtime:....,
                code:...,
                role: customRole,
                handler:....,
                memorySize:...,
                timeout:....,
                vpc:...,
                environment: {
                   ....
                }
            });

solution3
 11  2019-07-24 13:46:19

The accepted answer by @rix0rrr doesn't work any more. Seems CDK get some updates. Currently version is

"@aws-cdk/core": "^1.1.0"

Updated code:

    import iam = require("@aws-cdk/aws-iam");

    const statement = new iam.PolicyStatement();
    statement.addActions("lambda:InvokeFunction");
    statement.addResources("*");

    lambda.addToRolePolicy(statement);

solution4
 9  2019-08-29 02:54:15

Bill's answer works, but here's another way:

import iam = require("@aws-cdk/aws-iam");

lambda.addToRolePolicy(new iam.PolicyStatement({
  effect: iam.Effect.ALLOW,
  actions: [ 'lambda:InvokeFunction' ],
  resources: [ '*' ]
}));

solution5
 2  2020-07-28 10:27:34

I came across a similar situation, and found an answer like


import * as lambda from '@aws-cdk/aws-lambda';

import iam = require("@aws-cdk/aws-iam");

      // define lambda fucntion
        const lambdaFunction = new lambda.Function(this, 'my-lambda', {
            code: this.lambdaCode,
            functionName: 'athena-gateway',
            handler: 'index.handler',
            runtime: lambda.Runtime.NODEJS_12_X,
            timeout: Duration.minutes(14)
        });

        // provide athena,s3 access to lambda function
        const athenaAccessPolicy = new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: [
                "s3:*",
                "athena:*"                            ]

        });
        athenaAccessPolicy.addAllResources();
        lambdaFunction.addToRolePolicy(athenaAccessPolicy)

solution6
 0  2021-03-21 21:13:51

I didn't managed to add role during lambda creation, but next code gives to lambda access to external role, created in another CDK:

lambdaFn.addToRolePolicy(new iam.PolicyStatement({
  effect: iam.Effect.ALLOW,
  actions: [ "sts:AssumeRole" ],
  resources: [externalRoleArn]
}))

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot deploy Nodejs and Typescript to AWS cdk + lambda aws cdk graphicsmagick lambda pdf to png AWS CDK Typescript Lambda Handler Event Type AWS Lambda Custom Parameters Deploying node.js lambda with AWS CDK python Deploying Lambda function (not as part of an Application) using AWS CDK How can I zip Node Lambda dependencies in AWS CDK stack? Deploy additional files with Node Lambda Function AWS CDK AWS lambda timeout on custom intents AWS Lambda: NodeJs custom layer
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM