We Keep Coding

Variable in AWS IAM role to grant permissions to Lambda function

I am trying to figure out if it is possible to design an AWS IAM role that would dynamically grant permission to resource based on the name of the calling resource. For example I currently have a role that grants a Lambda function permission to create and write CloudWatch logs, which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CWLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
}
}
I am wondering if there is a way to substitute the string MyLambdaFunction for the name of the calling Lambda function using some ${aws:NameOfTheLambdaFunction} variable, so that I can have a generic policy allowing functions to write only to their specific CW log groups that I can attach to different Lambda roles - with the resource statement looking like: "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/${aws:NameOfTheLambdaFunction}*"
Is something like this possible?

You're referring to an IAM policy variable which provides you the name of the calling Lambda function.
Unfortunately, this policy variable does not currently exist and so this isn't possible.

Your function's execution role doesn't have permission to send result to the destination

I want to send message from lambda function to SNS. When I am trying to add destination "SNS" then this error is coming. What are the IAM Policies, i am missing ? I have added AWSLambdaFullAccess and AmazonSNSFullAccess IAM policies.

The issue is not the lambda execution policy, but you (your IAM user) does not have permissions to perform iam:AttachRolePolicy.
The reason is that the lambda will add the following service-role policy to your function execution role, regardless the fact that you already have AmazonSNSFullAccess there:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region:xxxx:testTopic"
}
]
}
You have to add the missing permissions to the IAM user you use when login to the console.

How to create an IAM role of specific type using boto3?

I'm trying to lock down a user to a specific VPC in AWS and following How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog.
It is mentioned that we need to create an IAM role with name VPCLockDown of type AWS Service
and add the services for which the role needs access to. like ec2, lambda etc.
I was trying to create this role programatically using boto3.
I checked the create_role documentation for creating a role using boto3.
However, they haven't mentioned anything to specify the type of role and the services that I can specify that the role should have access to.
Is there any way to specify these items while creation of the IAM role using boto3
Edit1:
I tried creating a service_linked_role as per Sudarshan Rampuria's answer like
response = iam.create_service_linked_role(
AWSServiceName='ec2.amazonaws.com',
)
But getting the following error:
An error occurred (AccessDenied) when calling the
CreateServiceLinkedRole operation: Cannot find Service Linked Role
template for ec2.amazonaws.com

You can use create_service_linked_role() function boto3 to link a role to a service.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role

Here is a policy that allows a specific IAM User to launch an instance (RunInstances), but only in a given VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2RunInstancesVPC",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:ap-southeast-2:111111111111:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:ap-southeast-2:111111111111:vpc/vpc-abcd1234" <--- Change this
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-2:111111111111:instance/*",
"arn:aws:ec2:ap-southeast-2:111111111111:volume/*",
"arn:aws:ec2:ap-southeast-2::image/*",
"arn:aws:ec2:ap-southeast-2::snapshot/*",
"arn:aws:ec2:ap-southeast-2:111111111111:network-interface/*",
"arn:aws:ec2:ap-southeast-2:111111111111:key-pair/*",
"arn:aws:ec2:ap-southeast-2:111111111111:security-group/*"
]
}
]
}
You might need to change the Region. (I tested it in the Sydney region.)

For anyone trying to do this for Lambda, we get the similar error mentioned by the question author under "Edit". Lambda doesn't have a service linked role. You can see from the AWS Lambda documentation that "create-role" is used for creating lambda execution role.
You can also see here that only Lambda#Edge has service linked role.
One just needs to use use boto3 create-role with a policy document
response = iam_client.create_role(
RoleName="some-role-name",
AssumeRolePolicyDocument='{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}',
Description='Lambda role'
)

Lambda service throws error execution role does not have permissions to call receiveMessage on SQS

I have a SQS queue and I want to trigger a lambda function when a message arrives in the queue. I have written the lambda function and that works successfully when I click the "Test" button. When I go to SQS and try to configure it as a lambda trigger I see the error message below.
I have created the SQS queue and lambda function using the same user and role and the lambda function has execute permissions against the same role.
I also have also added SQS receiveMessage permission but it doesn't seem to make a difference unless I'm doing something wrong when I set it.
What could be causing the problem?
Thanks for any help

Hi as far as i can understand your lambda needs the following permission on it aws docs
Hope its not in a VPC.
Or may be give it a god mode on sqs:* just for testing it.
If that works maybe later on you can then go for specific methods only. Attached a policy for a lambda role you might have to change account_number to your account no if you need to invoke another lambda form this lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-2:account_number:function:*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "*"
}
]
}

Although solution for this may have been achieved by now.. but since this thread was suggested to me at the top.. i will post the answer for other users:
I faced same issue even after giving SQS full access to user. The problem is with the lambda execution role. When lambda is created, it needs to be assigned a lambda execution role. Most users assign the auto-generated execution role while creating lambda. That execution role does not have permissions for SQS.
So open lambda >> Click Permissions tab >> edit execution role at the top >> assign SQS permissions >> boom.
[edit]This is now under Configuration >> Permissions

You need following permissions attached to the role, your lambda assumes
sqs:ReceiveMessage
sqs:DeleteMessage
sqs:GetQueueAttributes
In case you are using Terraform:
data "aws_iam_policy_document" "YOUR_DOCUMENT" {
statement {
sid = "some_id"
actions = [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
]
resources = [
aws_sqs_queue.YOUR_QUEUE.arn
]
}
}
resource "aws_iam_policy" "YOUR_POLICY" {
name = "your_policy"
policy = data.aws_iam_policy_document.YOUR_DOCUMENT.json
}
resource "aws_iam_role_policy_attachment" "POLICY_ATTACHMENT" {
role = aws_iam_role.YOUR_LAMBDA_ROLE.name
policy_arn = aws_iam_policy.YOUR_POLICY.arn
}
resource "aws_lambda_function" "YOUR_LAMBDA" {
....
role = aws_iam_role.YOUR_LAMBDA_ROLE.arn
....
}

I experienced a similar issue when trying to add an SQS trigger to my Lambda function.
An error occurred when creating the trigger: The provided execution role does not have permissions to call ReceiveMessage on SQS
The way I solved it was to simply add permissions to call ReceiveMessage on SQS in the execution role of the Lambda function.
To do this simply:
Go to IAM in the AWS Console
Click on roles
Select your Lambda function execution role or create one if you don't already have
Add the AWS managed LambdaSQSQueueExecutionRole policy to the role. The policy contains all the necessary permissions to call the necessary actions on SQS from Lambda. The ARN of the policy is arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole.
Save the role, and the try again to add the trigger. This time it will work fone.

AWS security group rules deployment (lambda->SQS)

On AWS we've implemented functionality that AWS lambda pushes message to AWS queue;
However during this implementation I had to manuall grant permissions to AWS lambda to add message to particular queue. And this apporach with manual clicks not so good for prod deployment.
Any suggestions how to automate process of adding permissions between AWS services (mainly lambda and SQS) and cretate "good" deployment package for prod env ?

Each Lambda function has an attached role, which you can specify permissions for in the IAM dashboard. If you give the Lambda functions' role the permission to push to an SQS queue, you're good to go. For example, attach this JSON as a custom role (see http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html):
{
"Version": "2012-10-17",
"Id": "Queue1_Policy_UUID",
"Statement":
{
"Sid":"Queue1_SendMessage",
"Effect": "Allow",
"Principal": {
"AWS": "111122223333"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:444455556666:queue1"
}
}
You can use asterisks to give permission to multiple queues, like:
"Resource": "arn:aws:sqs:us-east-1:444455556666:production-*"
To give sendMessage permission to all queues that start with production-.