AWS AppConfig Validation Lambda Policy in SAM Template

Question

I'm trying to add a policy to a lambda to allow AppConfig to invoke it. I can do this through the terminal using this command:

aws lambda add-permission --function-name ConfigValidator.Arn --action lambda:InvokeFunction --statement-id appconfig --principal appconfig.amazonaws.com --output json --region eu-west-1

But how can this be done automatically through the SAM template?

Answer 1

Here is how I do this:

1. Create a managed policy with access to your AppConfig
2. Attach that managed policy to the role your lambda is configured to use

Here is the code using CDK (CDK is the latest and greatest tool to create AWS resources, I highly recommend using it!).

If you don't want to use CDK you can manually setup the same managed policies by hand.

Detailed example below:

Create a managed policy with access to your AppConfig

const resourceArn = `arn:aws:appconfig:${props.region}:${props.accountId}:application/${this.appConfigApplication.ref}*`
this.appConfigReaderManagedPolicy = new ManagedPolicy(this, `AppConfigReader-${id}`, {
    managedPolicyName: `AppConfigReader-${id}`,
    description: `Readonly access to ${id}`,
    statements: [
        new PolicyStatement({
            resources: [resourceArn],
            actions: [
                'appconfig:GetConfiguration',
                'appconfig:GetApplication',
            ]
        })
    ]
})

Attach that managed policy to the role your lambda is configured to use

//assuming your lambda is already configured somewhere

this.lambdaFunction.role.addManagedPolicy(this.appConfigReaderManagedPolicy)