I am new in aws I want to restrict my aws lambda function to not get access by any other resource it can only invoke by a specified lambda function.
I have not setup an API gateway for this lambda function it's just a simple lambda function that I want to invoke from another lambda function but also want to restrict to not getting invoked by other resources or another lambda function so I want to specify another lambda function which will invoke this lambda function so only specified lambda function can invoke
You can modify/delete resource-based policies for Lambda - AWS Lambda.
Normally, these policies define which IAM users, IAM roles and AWS services can invoke the function. You should edit the policies attached to this particular Lambda function to only permit access via your desired 'calling' Lambda function. This will probably involve referencing the IAM Role that is used by the 'calling' Lambda function.
You could even add a Deny policy to prohibit access via any other IAM Role or service.
Related
We have a pair of existing AWS Lambda functions that read/write from a DynamoDB table. I created a new function and table; the function is very basic, just does a putItem on the DynamoDB table. I can successfully invoke it with the test functionality in Lambda.
However, if I invoke the Lambda function using the FunctionURL or via API Gateway, I get the following error.
Yet in Configuration > Permissions in the Lambda interface I clearly see the permission:
Suggestions where to check next? Comparison to our existing, working functions hasn't revealed anything; everything I have checked in configured the same.
Thanks!
When you invoke the lambda function in the lambda console, lambda is using an Execution role.
When you invoke the lambda function via API gateway or via the function URL, it is likely that you are using IAM authorization. As a result, lambda is using the role of the principal who invoked the function (in this case, PatientWellnessDeregistration-role-3ospc0u3).
The execution role is configured correctly, but the IAM role of the principal is lacking the required permissions.
Further reading:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
What you could optionally check is that API Gateway is authorized to call your new Lambda. If so, then the Resource-based policy of the Lambda (still in the Permissions tab) should have something similar to:
Resource-based policy example:
I am utilizing Eventbridge API Destination to call my lambda function's url and throttle it to my desired rate. This works when the lambda function's invoke-url auth type is set to None. When I set the function Url auth type to AWS_IAM and create a resource-based invoke function url policy, it doesn't work.
I've tried setting the policy's principal to
the account root
the eventbridge role arn
the eventBridgeApiDestinations service role arn (arn:aws:iam::xxxxxxxxx:role/aws-service-role/apidestinations.events.amazonaws.com/AWSServiceRoleForAmazonEventBridgeApiDestinations)
None of the above work. Not sure what I'm doing wrong here or if it's even possible to do this.
Policy statement details
Statement ID
invoke-from-event-bridge-rule
Principal
arn:aws:iam::xxxxxxx:role/< my eventBridge role >
Effect
Allow
Action
lambda:InvokeFunctionUrl
Conditions
{
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
From the documentation:
Amazon EventBridge API destinations are HTTP endpoints that you can
invoke as the target of a rule, similar to how you invoke an AWS
service or resource as a target.
When you have EventBridge invoke your Lambda in this way, EventBridge doesn't know it is invoking a Lambda function. It doesn't even know it is invoking an AWS service. It is treating it the same as it would a third-party "webhook" external to AWS. It is not going to sign the HTTP request with AWS IAM credentials.
I suggest using a standard AWS Lambda invocation from EventBridge, instead of an HTTP endpoint invocation.
have a question regarding Lambda and Roles and SCPs.
Lets say that I have a Lambda function doing a certain IAM call, the lambda role has the permission needed for doing it.
The Lambda it self is created with a Cloudformation. The Cloudfromation deployment is ran with a tool using the service role for the tool, no service role for the CF.
The Lambda Function is triggered by a Custom Resource in the same CF.
Tool(with role) -> CF(No service role) -> CR -> Lambda -> IAM call
Now add a SCP with a Deny for the IAM call. What principal needs to have condition in the SCP to not be affected by the SCP?
The role you use for the lambda is the principal that needs an exception in the SCP. Ultimately, it is the principal that is running the lambda that is making the IAM call, so that is what will need the condition.
I am trying to create a simple infrastructure using terraform.Terraform should create the lambda and s3 bucket, lambda is triggered using API gateway which is again created terraform.
I have created a role and assigned that to lambda so that lambda can put objects in s3 bucket.
My lambda is written in java, since I am assigning role to lambda to access S3, how do I use that role in my code?
I came across another article which suggested accessing S3 using the below code. I assumed the token generation would be taken care of this.
var s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(InstanceProfileCredentialsProvider(false))
.withRegion("ap-southeast-2")
.build()
I am confused as to how to access s3, do I need to use the role created by terraform in my code or is there a different way to access S3 from java code?
You don't need to assume the role inside the Lambda function. Instead, simply configure the Lambda function to assume the IAM role. Or add the relevant S3 policy to the Lambda's existing IAM role.
You don't typically have to supply credentials or region explicitly in this case. Simply use:
AmazonS3 s3Client = new AmazonS3Client();
See the Terraform basic example of creating both an IAM role and a Lambda function, and configuring the Lambda function to assume the configured role.
Jarmods answer is correct that you can configure the role of the Lambda directly - but there are particular use cases where you may need to be first in one account, than the other. If you need to assume a role in the middle of your code, then use the STS functionality of your SDK. STS is the library in the aws sdk that controls assuming a role's credentials through code.
I have a Lambda function written in Java I and I want it to access S3 (putObject).
I do not want to use or store credentials in my Lambda function in order to access S3. Instead, I would like to use IAM roles.
How can I code an AWS S3 client inside my java code (that would be ran by Lambda) that won't need any credentials and assume that the Lambda has the appropriate Role?
You don't need to store credentials in your lambda functions. All funtions run with a role - the role you set when you created the function. Since the lambda function has a role, you can add or remove permissions from this role as needed, without changing the function itself
Manage Permissions: Using an IAM Role (Execution Role)
Each Lambda function has an IAM role (execution role) associated with
it. You specify the IAM role when you create your Lambda function.
Permissions you grant to this role determine what AWS Lambda can do
when it assumes the role. There are two types of permissions that you
grant to the IAM role:
If your Lambda function code accesses other AWS resources, such as to
read an object from an S3 bucket or write logs to CloudWatch Logs, you
need to grant permissions for relevant Amazon S3 and CloudWatch
actions to the role. If the event source is stream-based (Amazon
Kinesis Streams and DynamoDB streams), AWS Lambda polls these streams
on your behalf. AWS Lambda needs permissions to poll the stream and
read new records on the stream so you need to grant the relevant
permissions to this role.
http://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html