stackoom
  简体   繁体   中英

How to add a resource based policy to a lambda using AWS SAM

 原文  2020-06-23 22:29:39       amazon-web-services/ amazon-s3/ aws-lambda/ yaml/ aws-sam

Question

I want to create a deployment script for some lambda functions using AWS SAM. Two of those functions will be deployed into one account(account A) but will be triggered by an s3 bucket object creation event in a second account(account B). From what I know the only way to do this is by using adding a resource based policy to my lambda. But I don't know how to do that in AWS SAM. My current yaml file looks like this.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  deploy-test-s3-triggered-lambda

Parameters:
  AppBucketName:
    Type: String
    Description: "REQUIRED: Unique S3 bucket name to use for the app."

Resources:
  S3TriggeredLambda:
    Type: AWS::Serverless::Function
    Properties: 
      Role: arn:aws:iam::************:role/lambda-s3-role
      Handler: src/handlers/s3-triggered-lambda.invokeAPI
      CodeUri: src/handlers/s3-triggered-lambda.js.zip
      Runtime: nodejs10.x
      MemorySize: 128
      Timeout: 60
      Policies:
        S3ReadPolicy:
          BucketName: !Ref AppBucketName
      Events:
        S3NewObjectEvent:
          Type: S3
          Properties:
            Bucket: !Ref AppBucket
            Events: s3:ObjectCreated:*
  AppBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref AppBucketName

What do I need to add to this yaml file in order to tie a resource based policy that allows for cross account access to my lambda function?

3 answers

solution1
 1  2021-06-10 21:45:44

This can be done achieved with the help of AWS::Lambda::Permission using aws_cdk.aws_lambda.CfnPermission .

For example, to allow your lambda to be called from a role in another account, add the following to your CDK:

from aws_cdk import aws_lambda

aws_lambda.CfnPermission(
    scope,
    "CrossAccountInvocationPermission",
    action="lambda:InvokeFunction",
    function_name="FunctionName",
    principal="arn:aws:iam::111111111111:role/rolename",
)

solution2
 0  2020-06-24 00:18:52

If your bucket and your Lambda function exist in separate accounts I don't know if it's possible to modify both of them from SAM / a single CloudFormation template.

solution3
 -1  2020-11-26 23:34:27

Don't think cross account s3 event is possible with SAM, may need to go back to CFN.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add policy to access secret with lambda function AWS SAM AWS SAM Lambda policy for OpenSearch How to provide Lambda S3 policy via AWS SAM AWS AppConfig Validation Lambda Policy in SAM Template AWS::Serverless::Api Resource Policy with Cloudformation SAM AWS CDK: Lambda resource based policy for a function with an alias Add inline policy to aws SAM template Deploying AWS Lambda using AWS SAM in Jenkins How to update existing lambda function using AWS SAM How do I code AWS Lambda env variables using SAM?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM