| CARVIEW |
Viewing resource-based IAM policies in Lambda
Lambda supports resource-based permissions policies for Lambda functions and layers. You can use resource-based policies to grant access to other AWS accounts, organizations, or services. Resource-based policies apply to a single function, version, alias, or layer version.
- Console
-
To view a function's resource-based policy
Open the Functions page
of the Lambda console. -
Choose a function.
-
Choose Configuration and then choose Permissions.
-
Scroll down to Resource-based policy and then choose View policy document. The resource-based policy shows the permissions that are applied when another account or AWS service attempts to access the function. The following example shows a statement that allows Amazon S3 to invoke a function named
my-functionfor a bucket namedamzn-s3-demo-bucketin account123456789012.Example resource-based policy
-
{ "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "lambda-allow-s3-my-function", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function", "Condition": { "StringEquals": { "AWS:SourceAccount": "123456789012" }, "ArnLike": { "AWS:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket" } } } ] }
- AWS CLI
-
To view a function's resource-based policy, use the
get-policycommand.aws lambda get-policy \ --function-name my-function \ --output textYou should see the following output:
JSON- JSON
-
{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-2:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]} 7c681fc9-b791-4e91-acdf-eb847fdaa0f0
JSON- JSON
-
{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com.cn"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:cn-north-1:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]} 7c681fc9-b791-4e91-acdf-eb847fdaa0f0
For versions and aliases, append the version number or alias to the function name.
aws lambda get-policy --function-name my-function:PRODTo remove permissions from your function, use
remove-permission.aws lambda remove-permission \ --function-name example \ --statement-id snsUse the
get-layer-version-policycommand to view the permissions on a layer.aws lambda get-layer-version-policy \ --layer-name my-layer \ --version-number 3 \ --output textYou should see the following output:
b0cd9796-d4eb-4564-939f-de7fe0b42236 {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"
Use
remove-layer-version-permissionto remove statements from the policy.aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-org
Supported API actions
The following Lambda API actions support resource-based policies:
-
InvokeFunctionUrl (permission only)
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.