Class Permission

Creates a Lambda permission to allow external sources invoking the Lambda function (e.g. CloudWatch Event Rule, SNS or S3).

Example Usage

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var iamForLambda = new Aws.Iam.Role("iamForLambda", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""lambda.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var testLambda = new Aws.Lambda.Function("testLambda", new Aws.Lambda.FunctionArgs
    {
        Code = new FileArchive("lambdatest.zip"),
        Handler = "exports.handler",
        Role = iamForLambda.Arn,
        Runtime = "nodejs8.10",
    });
    var testAlias = new Aws.Lambda.Alias("testAlias", new Aws.Lambda.AliasArgs
    {
        Description = "a sample description",
        FunctionName = testLambda.Name,
        FunctionVersion = "$$LATEST",
    });
    var allowCloudwatch = new Aws.Lambda.Permission("allowCloudwatch", new Aws.Lambda.PermissionArgs
    {
        Action = "lambda:InvokeFunction",
        Function = testLambda.Name,
        Principal = "events.amazonaws.com",
        Qualifier = testAlias.Name,
        SourceArn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
    });
}

}

Usage with SNS

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var defaultTopic = new Aws.Sns.Topic("defaultTopic", new Aws.Sns.TopicArgs
    {
    });
    var defaultRole = new Aws.Iam.Role("defaultRole", new Aws.Iam.RoleArgs
    {
        AssumeRolePolicy = @"{
""Version"": ""2012-10-17"",
""Statement"": [
{
  ""Action"": ""sts:AssumeRole"",
  ""Principal"": {
    ""Service"": ""lambda.amazonaws.com""
  },
  ""Effect"": ""Allow"",
  ""Sid"": """"
}
]
}

",
    });
    var func = new Aws.Lambda.Function("func", new Aws.Lambda.FunctionArgs
    {
        Code = new FileArchive("lambdatest.zip"),
        Handler = "exports.handler",
        Role = defaultRole.Arn,
        Runtime = "python2.7",
    });
    var withSns = new Aws.Lambda.Permission("withSns", new Aws.Lambda.PermissionArgs
    {
        Action = "lambda:InvokeFunction",
        Function = func.Name,
        Principal = "sns.amazonaws.com",
        SourceArn = defaultTopic.Arn,
    });
    var lambda = new Aws.Sns.TopicSubscription("lambda", new Aws.Sns.TopicSubscriptionArgs
    {
        Endpoint = func.Arn,
        Protocol = "lambda",
        Topic = defaultTopic.Arn,
    });
}

}

Specify Lambda permissions for API Gateway REST API

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
public MyStack()
{
    var myDemoAPI = new Aws.ApiGateway.RestApi("myDemoAPI", new Aws.ApiGateway.RestApiArgs
    {
        Description = "This is my API for demonstration purposes",
    });
    var lambdaPermission = new Aws.Lambda.Permission("lambdaPermission", new Aws.Lambda.PermissionArgs
    {
        Action = "lambda:InvokeFunction",
        Function = "MyDemoFunction",
        Principal = "apigateway.amazonaws.com",
        SourceArn = myDemoAPI.ExecutionArn.Apply(executionArn => $"{executionArn}/*/*/*"),
    });
}

}
Inheritance
System.Object
Resource
CustomResource
Permission
Inherited Members
System.Object.Equals(System.Object)
System.Object.Equals(System.Object, System.Object)
System.Object.GetHashCode()
System.Object.GetType()
System.Object.MemberwiseClone()
System.Object.ReferenceEquals(System.Object, System.Object)
System.Object.ToString()
Namespace: Pulumi.Aws.Lambda
Assembly: Pulumi.Aws.dll
Syntax
public class Permission : CustomResource

Constructors

View Source

Permission(String, PermissionArgs, CustomResourceOptions)

Create a Permission resource with the given unique name, arguments, and options.

Declaration
public Permission(string name, PermissionArgs args, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resource
PermissionArgs args

The arguments used to populate this resource's properties
CustomResourceOptions options

A bag of options that control this resource's behavior

Properties

View Source

Action

The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)

Declaration
public Output<string> Action { get; }
Property Value
Type Description
Output<System.String>
View Source

EventSourceToken

The Event Source Token to validate. Used with Alexa Skills.

Declaration
public Output<string> EventSourceToken { get; }
Property Value
Type Description
Output<System.String>
View Source

Function

Name of the Lambda function whose resource policy you are updating

Declaration
public Output<string> Function { get; }
Property Value
Type Description
Output<System.String>
View Source

Principal

The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com.

Declaration
public Output<string> Principal { get; }
Property Value
Type Description
Output<System.String>
View Source

Qualifier

Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN. e.g. arn:aws:lambda:aws-region:acct-id:function:function-name:2

Declaration
public Output<string> Qualifier { get; }
Property Value
Type Description
Output<System.String>
View Source

SourceAccount

This parameter is used for S3 and SES. The AWS account ID (without a hyphen) of the source owner.

Declaration
public Output<string> SourceAccount { get; }
Property Value
Type Description
Output<System.String>
View Source

SourceArn

When granting Amazon S3 or CloudWatch Events permission to invoke your function, you should specify this field with the Amazon Resource Name (ARN) for the S3 Bucket or CloudWatch Events Rule as its value. This ensures that only events generated from the specified bucket or rule can invoke the function. API Gateway ARNs have a unique structure described here.

Declaration
public Output<string> SourceArn { get; }
Property Value
Type Description
Output<System.String>
View Source

StatementId

A unique statement identifier. By default generated by this provider.

Declaration
public Output<string> StatementId { get; }
Property Value
Type Description
Output<System.String>
View Source

StatementIdPrefix

A statement identifier prefix. This provider will generate a unique suffix. Conflicts with statement_id.

Declaration
public Output<string> StatementIdPrefix { get; }
Property Value
Type Description
Output<System.String>

Methods

View Source

Get(String, Input<String>, PermissionState, CustomResourceOptions)

Get an existing Permission resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Declaration
public static Permission Get(string name, Input<string> id, PermissionState state = null, CustomResourceOptions options = null)
Parameters
Type Name Description
System.String name

The unique name of the resulting resource.
Input<System.String> id

The unique provider ID of the resource to lookup.
PermissionState state

Any extra arguments used during the lookup.
CustomResourceOptions options

A bag of options that control this resource's behavior
Returns
Type Description
Permission