Thursday, August 04, 2016

Trust Relationship and Policies for AWS API Gateway and Lambdas

Your Policy for the lambda should set up everything your lambda is allowed to do. This includes passing a role.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1470153553000",
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-west-2:439753510372:table/YoYoDyne_Products"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        },
        {
            "Sid": "Stmt1449789105000",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
Your policy also needs to have a trust relationship.
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "",
           "Effect": "Allow",
           "Principal": {
               "Service": ["lambda.amazonaws.com", "apigateway.amazonaws.com"]
           },
           "Action": "sts:AssumeRole"
       }
   ]
}

No comments: