Question 18723 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

aws lambda permission to IAM usergroup using cloudformation – Amazon Web Sevices

I need create a way for execute especific lambdas for specific IAM users, then i am doing:

I am creating a Usergroup in cloudformation:

Resources:
  XXXGroup:
    Type: AWS::IAM::Group

And after I am creating a policy and add the policy to my UserGroup


UsersXPolicies:
    Type: AWS::IAM::Policy
    Properties:
      Groups:
        - !Ref XXXGroup
      PolicyDocument: 
          Version: "2012-10-17"
          Statement:
            -
              Effect: "Allow"
              Action:
                - "lambda:*"
              Resource:
                - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunction
                - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunction2
      PolicyName: xxx-access-policy

I try first only with "lambda:InvokeFunction" but it not works, then I try with lambda:* but it not works

After I am creating a user:

XXUser:
    Type: AWS::IAM::User
    Properties:
      UserName: xxx.user
      LoginProfile:
        Password: l98GaTc9xzT9
        PasswordResetRequired: true
      Path: /

And finally i am adding the user to my usergroup:

USerAdditionX:
    Type: AWS::IAM::UserToGroupAddition
    Properties: 
      GroupName: !Ref XXXGroup
      Users: 
        - !Ref XXUser

But after login with my new user i am getting the following error when i go to lambda service:

  • User: arn:aws:iam::xxxxxxxxx:user/xx.user is not authorized to perform: lambda:GetAccountSettings on resource: * because no identity-based policy allows the lambda:GetAccountSettings action

Access to specific lambdas from my new user

Tags:

2

Answers


  1. 0

    The problem is that lambda get its permission from a role.Policies are attached to role.

    You need to attach your policies to a role and then attach a role to lambda.

    Please read about lambda execution role over here

    Login or Signup to reply.
  2. 0

    You can’t limit the visibility for the list of all the Lambda Functions (there is also the same "problem" on EC2 Instances and S3 Buckets permissions policy), so your user cannot interact with the Lambda because the policy that you provided have the condition on the specific resource, but he need the full read-only capability even to see the function.

    You should add at least an Allow statement on lambda:ListFunctions and lambda:GetAccountSettings for Resource "*" (so on every Lambda of your account), as stated here.

    You could also, as documented here, add the standard AWSLambda_ReadOnlyAccess policy to your group.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search