How to add a resource based policy to a lambda using AWS SAM
Asked Answered
A

4

6

I want to create a deployment script for some lambda functions using AWS SAM. Two of those functions will be deployed into one account(account A) but will be triggered by an s3 bucket object creation event in a second account(account B). From what I know the only way to do this is by using adding a resource based policy to my lambda. But I don't know how to do that in AWS SAM. My current yaml file looks like this.

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  deploy-test-s3-triggered-lambda

Parameters:
  AppBucketName:
    Type: String
    Description: "REQUIRED: Unique S3 bucket name to use for the app."

Resources:
  S3TriggeredLambda:
    Type: AWS::Serverless::Function
    Properties: 
      Role: arn:aws:iam::************:role/lambda-s3-role
      Handler: src/handlers/s3-triggered-lambda.invokeAPI
      CodeUri: src/handlers/s3-triggered-lambda.js.zip
      Runtime: nodejs10.x
      MemorySize: 128
      Timeout: 60
      Policies:
        S3ReadPolicy:
          BucketName: !Ref AppBucketName
      Events:
        S3NewObjectEvent:
          Type: S3
          Properties:
            Bucket: !Ref AppBucket
            Events: s3:ObjectCreated:*
  AppBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref AppBucketName

What do I need to add to this yaml file in order to tie a resource based policy that allows for cross account access to my lambda function?

Abidjan answered 23/6, 2020 at 22:29 Comment(0)
B
0

This can be done achieved with the help of AWS::Lambda::Permission using aws_cdk.aws_lambda.CfnPermission.

For example, to allow your lambda to be called from a role in another account, add the following to your CDK:

from aws_cdk import aws_lambda

aws_lambda.CfnPermission(
    scope,
    "CrossAccountInvocationPermission",
    action="lambda:InvokeFunction",
    function_name="FunctionName",
    principal="arn:aws:iam::111111111111:role/rolename",
)
Brittnybritton answered 10/6, 2021 at 21:45 Comment(1)
I'm not sure this is an answer to the question. The question is asking how to do this in a SAM template, the answer is in respect to CDK.Germane
E
2

This can be done within the template.yaml file by adding a AWS::Lambda::Permission resource. Mirroring the example in the accepted answer:

Resources:
  ...
  CrossAccountInvocationPermission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: FunctionName
      Principal: arn:aws:iam::111111111111:role/rolename
Electropositive answered 24/2, 2023 at 20:43 Comment(0)
H
0

If your bucket and your Lambda function exist in separate accounts I don't know if it's possible to modify both of them from SAM / a single CloudFormation template.

Howbeit answered 24/6, 2020 at 0:18 Comment(1)
It's not but you can edit the s3 manually and add the policy to the SAM template for the lambda(Or at least thats the goal)Abidjan
B
0

This can be done achieved with the help of AWS::Lambda::Permission using aws_cdk.aws_lambda.CfnPermission.

For example, to allow your lambda to be called from a role in another account, add the following to your CDK:

from aws_cdk import aws_lambda

aws_lambda.CfnPermission(
    scope,
    "CrossAccountInvocationPermission",
    action="lambda:InvokeFunction",
    function_name="FunctionName",
    principal="arn:aws:iam::111111111111:role/rolename",
)
Brittnybritton answered 10/6, 2021 at 21:45 Comment(1)
I'm not sure this is an answer to the question. The question is asking how to do this in a SAM template, the answer is in respect to CDK.Germane
D
-1

Don't think cross account s3 event is possible with SAM, may need to go back to CFN.

Disfigurement answered 26/11, 2020 at 23:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.