Permission
Gives an external source (like an EventBridge Rule, SNS, or S3) permission to access the Lambda function.
Example Usage
Basic Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.Alias;
import com.pulumi.aws.lambda.AliasArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var iamForLambda = new Role("iamForLambda", RoleArgs.builder()
.assumeRolePolicy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Action", "sts:AssumeRole"),
jsonProperty("Effect", "Allow"),
jsonProperty("Sid", ""),
jsonProperty("Principal", jsonObject(
jsonProperty("Service", "lambda.amazonaws.com")
))
)))
)))
.build());
var testLambda = new Function("testLambda", FunctionArgs.builder()
.code(new FileArchive("lambdatest.zip"))
.role(iamForLambda.arn())
.handler("exports.handler")
.runtime("nodejs16.x")
.build());
var testAlias = new Alias("testAlias", AliasArgs.builder()
.description("a sample description")
.functionName(testLambda.name())
.functionVersion("$LATEST")
.build());
var allowCloudwatch = new Permission("allowCloudwatch", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function(testLambda.name())
.principal("events.amazonaws.com")
.sourceArn("arn:aws:events:eu-west-1:111122223333:rule/RunDaily")
.qualifier(testAlias.name())
.build());
}
}Content copied to clipboard
With SNS
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.sns.Topic;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import com.pulumi.aws.sns.TopicSubscription;
import com.pulumi.aws.sns.TopicSubscriptionArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultTopic = new Topic("defaultTopic");
var defaultRole = new Role("defaultRole", RoleArgs.builder()
.assumeRolePolicy(serializeJson(
jsonObject(
jsonProperty("Version", "2012-10-17"),
jsonProperty("Statement", jsonArray(jsonObject(
jsonProperty("Action", "sts:AssumeRole"),
jsonProperty("Effect", "Allow"),
jsonProperty("Sid", ""),
jsonProperty("Principal", jsonObject(
jsonProperty("Service", "lambda.amazonaws.com")
))
)))
)))
.build());
var func = new Function("func", FunctionArgs.builder()
.code(new FileArchive("lambdatest.zip"))
.role(defaultRole.arn())
.handler("exports.handler")
.runtime("python3.7")
.build());
var withSns = new Permission("withSns", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function(func.name())
.principal("sns.amazonaws.com")
.sourceArn(defaultTopic.arn())
.build());
var lambda = new TopicSubscription("lambda", TopicSubscriptionArgs.builder()
.topic(defaultTopic.arn())
.protocol("lambda")
.endpoint(func.arn())
.build());
}
}Content copied to clipboard
With API Gateway REST API
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.apigateway.RestApi;
import com.pulumi.aws.apigateway.RestApiArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var myDemoAPI = new RestApi("myDemoAPI", RestApiArgs.builder()
.description("This is my API for demonstration purposes")
.build());
var lambdaPermission = new Permission("lambdaPermission", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function("MyDemoFunction")
.principal("apigateway.amazonaws.com")
.sourceArn(myDemoAPI.executionArn().applyValue(executionArn -> String.format("%s/*", executionArn)))
.build());
}
}Content copied to clipboard
With CloudWatch Log Group
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.cloudwatch.LogGroup;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import com.pulumi.aws.cloudwatch.LogSubscriptionFilter;
import com.pulumi.aws.cloudwatch.LogSubscriptionFilterArgs;
import com.pulumi.resources.CustomResourceOptions;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var defaultLogGroup = new LogGroup("defaultLogGroup");
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("lambda.amazonaws.com")
.build())
.actions("sts:AssumeRole")
.build())
.build());
var defaultRole = new Role("defaultRole", RoleArgs.builder()
.assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.build());
var loggingFunction = new Function("loggingFunction", FunctionArgs.builder()
.code(new FileArchive("lamba_logging.zip"))
.handler("exports.handler")
.role(defaultRole.arn())
.runtime("python3.7")
.build());
var loggingPermission = new Permission("loggingPermission", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function(loggingFunction.name())
.principal("logs.eu-west-1.amazonaws.com")
.sourceArn(defaultLogGroup.arn().applyValue(arn -> String.format("%s:*", arn)))
.build());
var loggingLogSubscriptionFilter = new LogSubscriptionFilter("loggingLogSubscriptionFilter", LogSubscriptionFilterArgs.builder()
.destinationArn(loggingFunction.arn())
.filterPattern("")
.logGroup(defaultLogGroup.name())
.build(), CustomResourceOptions.builder()
.dependsOn(loggingPermission)
.build());
}
}Content copied to clipboard
With Cross-Account Invocation Policy
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.FunctionUrl;
import com.pulumi.aws.lambda.FunctionUrlArgs;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var urlFunctionUrl = new FunctionUrl("urlFunctionUrl", FunctionUrlArgs.builder()
.functionName(aws_lambda_function.example().function_name())
.authorizationType("AWS_IAM")
.build());
var urlPermission = new Permission("urlPermission", PermissionArgs.builder()
.action("lambda:InvokeFunctionUrl")
.function(aws_lambda_function.example().function_name())
.principal("arn:aws:iam::444455556666:role/example")
.sourceAccount("444455556666")
.functionUrlAuthType("AWS_IAM")
.build());
}
}Content copied to clipboard
With replace_triggered_by Lifecycle Configuration
If omitting the qualifier argument (which forces re-creation each time a function version is published), a lifecycle block can be used to ensure permissions are re-applied on any change to the underlying function.
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.Permission;
import com.pulumi.aws.lambda.PermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var logging = new Permission("logging", PermissionArgs.builder()
.action("lambda:InvokeFunction")
.function(aws_lambda_function.example().function_name())
.principal("events.amazonaws.com")
.sourceArn("arn:aws:events:eu-west-1:111122223333:rule/RunDaily")
.build());
}
}Content copied to clipboard
Import
Using pulumi import, import Lambda permission statements using function_name/statement_id with an optional qualifier. For example:
$ pulumi import aws:lambda/permission:Permission test_lambda_permission my_test_lambda_function/AllowExecutionFromCloudWatchContent copied to clipboard
$ pulumi import aws:lambda/permission:Permission test_lambda_permission my_test_lambda_function:qualifier_name/AllowExecutionFromCloudWatchContent copied to clipboard
*/
Properties
Link copied to clipboard
Link copied to clipboard
Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
Link copied to clipboard
The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization. 1: https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-an-aws-lambda-function.html#use-aws-cli 2: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-control-access-using-iam-policies-to-invoke-api.html 3: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
Link copied to clipboard
When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
Link copied to clipboard