How to make a role assumable by given lambda function?
Old one but recently ran into this problem. The answer is the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"lambda:FunctionArn": "arn:aws:lambda:eu-west-1:[account_id]:function:testaa"
}
}
}
]
}
@nagalakshmi From the given link http://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html in first paragraph they clearly mention it is not supported.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateFunctionPermissions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction"
],
"Resource": "*"
},
{
"Sid": "PermissionToPassAnyRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-id:role/*"
}
]
}
From AWS documentation
The policy has two statements:
The first statement grants permissions for the AWS Lambda action (lambda:CreateFunction) on a resource by using the Amazon Resource Name (ARN) for the Lambda function. Currently, AWS Lambda doesn't support permissions for this particular action at the resource-level. Therefore, the policy specifies a wildcard character (*) as the Resource value.
The second statement grants permissions for the IAM action (iam:PassRole) on IAM roles. The wildcard character () at the end of the Resource value means that the statement allows permission for the iam:PassRole action on any IAM role. To limit this permission to a specific role, replace the wildcard character () in the resource ARN with the specific role name.
On the above statement from documentation they mentioned currently not supporting permissions at resource level.
So they might have in feature request.