Kyle Pericak

"It works in my environment"

Created: 2020-01-09Updated: 2020-01-09

IAM Auth for Lambda

cloudawslambdapython
Restrict access to a specific AWS Lambda function using an IAM policy scoped to its ARN, then invoke it from Python with boto3 and access keys.

This post is linked to from the AWS: Deep Dive Project

This post covers how to restrict access to a Lambda function using AWS IAM roles. It builds on the function written in my last post

Table of Contents

Create a policy for your lambda function

Get the ARN of your function

Navigate to your function in the AWS Lambda Console. On the top right, the ARN is displayed. Copy it, you'll use it in the policy.

Create the policy

Open the IAM Console and create a new policy. The JSON looks like this. Note the ARN copied from the Function.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaInvokeHelloWorld",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:InvokeAsync"
            ],
            "Resource": "arn:aws:lambda:ca-central-1:850047500507:function:HelloWorld"
        }
    ]
}

Name the policy and assign it to your user. This user should have a Key ID and Secret Key.

Invoke Lambda from Python

Note that the payloads are in byte format.

import json
import boto3

key_id = 'XXXXXXXXXXXXXXXXX'
key_secret = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

session = boto3.Session(
    aws_access_key_id=key_id,
    aws_secret_access_key=key_secret)

client = session.client('lambda')

body = {'name': 'Kyle'}
payload = str.encode(json.dumps(body))
response = client.invoke(FunctionName='HelloWorld', Payload=payload)
print(response['Payload'].read())

If the user identified by that key has the above permission, they'll be able to execute this function. Otherwise they'll get a nice permissions error.