Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(lambda): document adding execution permissions to provided IAM roles #8041

Merged
31 changes: 31 additions & 0 deletions packages/@aws-cdk/aws-lambda/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,37 @@ to our CDK project directory. This is especially important when we want to share
this construct through a library. Different programming languages will have
different techniques for bundling resources into libraries.

### Execution Role

Lambda functions assume an IAM role during execution. In CDK by default, Lambda
functions will use an autogenerated Role if one is not provided.

The autogenerated Role is automatically given permissions to execute the Lambda
function. To reference the autogenerated Role:
```
flemjame-at-amazon marked this conversation as resolved.
Show resolved Hide resolved
const fn = new lambda.Function(this, 'MyFunction', {
runtime: lambda.Runtime.NODEJS_10_X,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),

fn.role // the Role
```

You can also provide your own IAM role. Provided IAM roles will not automatically
be given permissions to execute the Lambda function. To provide a role and grant
it appropriate permissions:
```
flemjame-at-amazon marked this conversation as resolved.
Show resolved Hide resolved
const fn = new lambda.Function(this, 'MyFunction', {
runtime: lambda.Runtime.NODEJS_10_X,
handler: 'index.handler',
code: lambda.Code.fromAsset(path.join(__dirname, 'lambda-handler')),
role: myRole // user-provided role
});

myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"));
myRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaVPCAccessExecutionRole")); // only required if your function lives in a VPC
```

### Versions and Aliases

You can use
Expand Down
6 changes: 6 additions & 0 deletions packages/@aws-cdk/aws-lambda/lib/function.ts
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,12 @@ export interface FunctionOptions extends EventInvokeConfigOptions {
* It controls the permissions that the function will have. The Role must
* be assumable by the 'lambda.amazonaws.com' service principal.
*
* The default Role automatically has permissions granted for Lambda execution. If you
* provide a Role, you must add the relevant AWS managed policies yourself.
*
* The relevant managed policies are "service-role/AWSLambdaBasicExecutionRole" and
* "service-role/AWSLambdaVPCAccessExecutionRole".
*
* @default - A unique role will be generated for this lambda function.
* Both supplied and generated roles can always be changed by calling `addToRolePolicy`.
*/
Expand Down