Does a lambda function IAM role require an IAM permission to invoke itself?

Question

Question

Does the IAM role of a lambda function require an IAM permission to invoke itself?

Background

Reading Tutorial: Process New Items with DynamoDB Streams and Lambda .

It looks the IAM role of the lambda function to process DynamoDB stream records has the IAM permission to invoke the function itself (and plus).

"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:region:accountID:function:publishNewBark*"

WooferLambdaRolePolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:accountID:function:publishNewBark*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:region:accountID:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:ListStreams"
            ],
            "Resource": "arn:aws:dynamodb:region:accountID:table/BarkTable/stream/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

aws iam put-role-policy --role-name WooferLambdaRole \
    --policy-name WooferLambdaRolePolicy \
    --policy-document file://role-policy.json

aws lambda create-function \
    --region us-east-1 \
    --function-name publishNewBark \
    --zip-file fileb://publishNewBark.zip \
    --role roleARN \                         <--- Replace roleARN with the ARN for WooferLambdaRole.
    --handler publishNewBark.handler \
    --timeout 5 \
    --runtime nodejs10.x

Is there a reason why the IAM permission to invoke the lambda function itself needs to be attached to the IAM role of the lambda? Or is there a specific reason related with DynamoDB stream processing?

Answer 1

What you are describing is an example of AWS Lambda Event Source Mapping and its only for Kinesis, DynamDB and SQS.

However, you are not giving permissions to your function to invoke itself. Instead you are giving the AWS Lambda Service (not your function) permissions to invoke your function. The reasons is the Lambda Service will be processing the DynamoDB stream on your behalf in a background and it will be invoking your function with stream's records when available.

Note that the trust policy for WooferLambdaRole role is for lambda.amazonaws.com :

{
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
         "Service": "lambda.amazonaws.com"
       },
       "Action": "sts:AssumeRole"
     }
   ]
 }

The trust policy means that the lambda service (again not your function, but the aws lambda service itself) will be able to assume the role containing WooferLambdaRolePolicy . Subsequently the lambda service will be able to work with DynamoDB and invoke your function.