Permission

Gives an external source (like a CloudWatch Event Rule, SNS, or S3) permission to access the Lambda function.

Example Usage

Basic Example

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var iamForLambda = new Aws.Iam.Role("iamForLambda", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""lambda.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var testLambda = new Aws.Lambda.Function("testLambda", new Aws.Lambda.FunctionArgs
        {
            Code = new FileArchive("lambdatest.zip"),
            Handler = "exports.handler",
            Role = iamForLambda.Arn,
            Runtime = "nodejs8.10",
        });
        var testAlias = new Aws.Lambda.Alias("testAlias", new Aws.Lambda.AliasArgs
        {
            Description = "a sample description",
            FunctionName = testLambda.Name,
            FunctionVersion = "$LATEST",
        });
        var allowCloudwatch = new Aws.Lambda.Permission("allowCloudwatch", new Aws.Lambda.PermissionArgs
        {
            Action = "lambda:InvokeFunction",
            Function = testLambda.Name,
            Principal = "events.amazonaws.com",
            Qualifier = testAlias.Name,
            SourceArn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
        });
    }

}

Coming soon!

import pulumi
import pulumi_aws as aws

iam_for_lambda = aws.iam.Role("iamForLambda", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
test_lambda = aws.lambda_.Function("testLambda",
    code=pulumi.FileArchive("lambdatest.zip"),
    handler="exports.handler",
    role=iam_for_lambda.arn,
    runtime="nodejs8.10")
test_alias = aws.lambda_.Alias("testAlias",
    description="a sample description",
    function_name=test_lambda.name,
    function_version="$LATEST")
allow_cloudwatch = aws.lambda_.Permission("allowCloudwatch",
    action="lambda:InvokeFunction",
    function=test_lambda.name,
    principal="events.amazonaws.com",
    qualifier=test_alias.name,
    source_arn="arn:aws:events:eu-west-1:111122223333:rule/RunDaily")

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const iamForLambda = new aws.iam.Role("iam_for_lambda", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const testLambda = new aws.lambda.Function("test_lambda", {
    code: new pulumi.asset.FileArchive("lambdatest.zip"),
    handler: "exports.handler",
    role: iamForLambda.arn,
    runtime: "nodejs8.10",
});
const testAlias = new aws.lambda.Alias("test_alias", {
    description: "a sample description",
    functionName: testLambda.functionName,
    functionVersion: "$LATEST",
});
const allowCloudwatch = new aws.lambda.Permission("allow_cloudwatch", {
    action: "lambda:InvokeFunction",
    function: testLambda.functionName,
    principal: "events.amazonaws.com",
    qualifier: testAlias.name,
    sourceArn: "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
});

Usage with SNS

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var defaultTopic = new Aws.Sns.Topic("defaultTopic", new Aws.Sns.TopicArgs
        {
        });
        var defaultRole = new Aws.Iam.Role("defaultRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""lambda.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var func = new Aws.Lambda.Function("func", new Aws.Lambda.FunctionArgs
        {
            Code = new FileArchive("lambdatest.zip"),
            Handler = "exports.handler",
            Role = defaultRole.Arn,
            Runtime = "python2.7",
        });
        var withSns = new Aws.Lambda.Permission("withSns", new Aws.Lambda.PermissionArgs
        {
            Action = "lambda:InvokeFunction",
            Function = func.Name,
            Principal = "sns.amazonaws.com",
            SourceArn = defaultTopic.Arn,
        });
        var lambda = new Aws.Sns.TopicSubscription("lambda", new Aws.Sns.TopicSubscriptionArgs
        {
            Endpoint = func.Arn,
            Protocol = "lambda",
            Topic = defaultTopic.Arn,
        });
    }

}

Coming soon!

import pulumi
import pulumi_aws as aws

default_topic = aws.sns.Topic("defaultTopic")
default_role = aws.iam.Role("defaultRole", assume_role_policy="""{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}

""")
func = aws.lambda_.Function("func",
    code=pulumi.FileArchive("lambdatest.zip"),
    handler="exports.handler",
    role=default_role.arn,
    runtime="python2.7")
with_sns = aws.lambda_.Permission("withSns",
    action="lambda:InvokeFunction",
    function=func.name,
    principal="sns.amazonaws.com",
    source_arn=default_topic.arn)
lambda_ = aws.sns.TopicSubscription("lambda",
    endpoint=func.arn,
    protocol="lambda",
    topic=default_topic.arn)

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const defaultTopic = new aws.sns.Topic("default", {});
const defaultRole = new aws.iam.Role("default", {
    assumeRolePolicy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
`,
});
const func = new aws.lambda.Function("func", {
    code: new pulumi.asset.FileArchive("lambdatest.zip"),
    handler: "exports.handler",
    role: defaultRole.arn,
    runtime: "python2.7",
});
const withSns = new aws.lambda.Permission("with_sns", {
    action: "lambda:InvokeFunction",
    function: func.functionName,
    principal: "sns.amazonaws.com",
    sourceArn: defaultTopic.arn,
});
const lambda = new aws.sns.TopicSubscription("lambda", {
    endpoint: func.arn,
    protocol: "lambda",
    topic: defaultTopic.arn,
});

Specify Lambda permissions for API Gateway REST API

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var myDemoAPI = new Aws.ApiGateway.RestApi("myDemoAPI", new Aws.ApiGateway.RestApiArgs
        {
            Description = "This is my API for demonstration purposes",
        });
        var lambdaPermission = new Aws.Lambda.Permission("lambdaPermission", new Aws.Lambda.PermissionArgs
        {
            Action = "lambda:InvokeFunction",
            Function = "MyDemoFunction",
            Principal = "apigateway.amazonaws.com",
            SourceArn = myDemoAPI.ExecutionArn.Apply(executionArn => $"{executionArn}/*/*/*"),
        });
    }

}

package main

import (
    "fmt"

    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/apigateway"
    "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/lambda"
    "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        myDemoAPI, err := apigateway.NewRestApi(ctx, "myDemoAPI", &apigateway.RestApiArgs{
            Description: pulumi.String("This is my API for demonstration purposes"),
        })
        if err != nil {
            return err
        }
        _, err = lambda.NewPermission(ctx, "lambdaPermission", &lambda.PermissionArgs{
            Action:    pulumi.String("lambda:InvokeFunction"),
            Function:  pulumi.String("MyDemoFunction"),
            Principal: pulumi.String("apigateway.amazonaws.com"),
            SourceArn: myDemoAPI.ExecutionArn.ApplyT(func(executionArn string) (string, error) {
                return fmt.Sprintf("%v%v", executionArn, "/*/*/*"), nil
            }).(pulumi.StringOutput),
        })
        if err != nil {
            return err
        }
        return nil
    })
}

import pulumi
import pulumi_aws as aws

my_demo_api = aws.apigateway.RestApi("myDemoAPI", description="This is my API for demonstration purposes")
lambda_permission = aws.lambda_.Permission("lambdaPermission",
    action="lambda:InvokeFunction",
    function="MyDemoFunction",
    principal="apigateway.amazonaws.com",
    source_arn=my_demo_api.execution_arn.apply(lambda execution_arn: f"{execution_arn}/*/*/*"))

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const myDemoAPI = new aws.apigateway.RestApi("MyDemoAPI", {
    description: "This is my API for demonstration purposes",
});
const lambdaPermission = new aws.lambda.Permission("lambda_permission", {
    action: "lambda:InvokeFunction",
    function: "MyDemoFunction",
    principal: "apigateway.amazonaws.com",
    sourceArn: pulumi.interpolate`${myDemoAPI.executionArn}/*/*/*`,
});

Create a Permission Resource

new Permission(name: string, args: PermissionArgs, opts?: CustomResourceOptions);

def Permission(resource_name, opts=None, action=None, event_source_token=None, function=None, principal=None, qualifier=None, source_account=None, source_arn=None, statement_id=None, statement_id_prefix=None, __props__=None);

func NewPermission(ctx *Context, name string, args PermissionArgs, opts ...ResourceOption) (*Permission, error)

public Permission(string name, PermissionArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args PermissionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PermissionArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PermissionArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Permission Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Permission resource accepts the following input properties:

Action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
Function string: Name of the Lambda function whose resource policy you are updating
Principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
EventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
Qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
SourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
SourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
StatementId string: A unique statement identifier. By default generated by this provider.
StatementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

Action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
Function interface{}: Name of the Lambda function whose resource policy you are updating
Principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
EventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
Qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
SourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
SourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
StatementId string: A unique statement identifier. By default generated by this provider.
StatementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
function string | Function: Name of the Lambda function whose resource policy you are updating
principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
eventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
sourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
sourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
statementId string: A unique statement identifier. By default generated by this provider.
statementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

action str: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
function string | str: Name of the Lambda function whose resource policy you are updating
principal str: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
event_source_token str: The Event Source Token to validate. Used with Alexa Skills.
qualifier str: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
source_account str: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
source_arn str: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
statement_id str: A unique statement identifier. By default generated by this provider.
statement_id_prefix str: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

Outputs

All input properties are implicitly available as output properties. Additionally, the Permission resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing Permission Resource

Get an existing Permission resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PermissionState, opts?: CustomResourceOptions): Permission

static get(resource_name, id, opts=None, action=None, event_source_token=None, function=None, principal=None, qualifier=None, source_account=None, source_arn=None, statement_id=None, statement_id_prefix=None, __props__=None);

func GetPermission(ctx *Context, name string, id IDInput, state *PermissionState, opts ...ResourceOption) (*Permission, error)

public static Permission Get(string name, Input<string> id, PermissionState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
EventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
Function string: Name of the Lambda function whose resource policy you are updating
Principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
Qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
SourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
SourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
StatementId string: A unique statement identifier. By default generated by this provider.
StatementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

Action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
EventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
Function interface{}: Name of the Lambda function whose resource policy you are updating
Principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
Qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
SourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
SourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
StatementId string: A unique statement identifier. By default generated by this provider.
StatementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

action string: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
eventSourceToken string: The Event Source Token to validate. Used with Alexa Skills.
function string | Function: Name of the Lambda function whose resource policy you are updating
principal string: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
qualifier string: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
sourceAccount string: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
sourceArn string: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
statementId string: A unique statement identifier. By default generated by this provider.
statementIdPrefix string: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

action str: The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)
event_source_token str: The Event Source Token to validate. Used with Alexa Skills.
function string | str: Name of the Lambda function whose resource policy you are updating
principal str: The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
qualifier str: Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2
source_account str: This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
source_arn str: When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API, as described here.
statement_id str: A unique statement identifier. By default generated by this provider.
statement_id_prefix str: A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

Package Details

Repository: https://github.com/pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud