Viewing resource-based IAM policies in Lambda
Lambda supports resource-based permissions policies for Lambda functions and layers. You can use resource-based policies to grant access to other AWS accounts, organizations, or services. Resource-based policies apply to a single function, version, alias, or layer version.
- Console
-
To view a function's resource-based policy
Open the Functions page of the Lambda console.
-
Choose a function.
-
Choose Configuration and then choose Permissions.
-
Scroll down to Resource-based policy and then choose View policy document. The resource-based policy shows the permissions that are applied when another account or AWS service attempts to access the function. The following example shows a statement that allows Amazon S3 to invoke a function named
my-functionfor a bucket namedamzn-s3-demo-bucketin account123456789012.Example resource-based policy
-
{ "Version":"2012-10-17", "Id": "default", "Statement": [ { "Sid": "lambda-allow-s3-my-function", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function", "Condition": { "StringEquals": { "AWS:SourceAccount": "123456789012" }, "ArnLike": { "AWS:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket" } } } ] }
- AWS CLI
-
To view a function's resource-based policy, use the
get-policycommand.aws lambda get-policy \ --function-name my-function \ --output textYou should see the following output:
-
{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-2:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]}
For versions and aliases, append the version number or alias to the function name.
aws lambda get-policy --function-name my-function:PRODTo remove permissions from your function, use
remove-permission.aws lambda remove-permission \ --function-name example \ --statement-id snsUse the
get-layer-version-policycommand to view the permissions on a layer.aws lambda get-layer-version-policy \ --layer-name my-layer \ --version-number 3 \ --output textYou should see the following output:
b0cd9796-d4eb-4564-939f-de7fe0b42236 {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"
Use
remove-layer-version-permissionto remove statements from the policy.aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-org
Supported API actions
The following Lambda API actions support resource-based policies:
-
InvokeFunctionUrl (permission only)
Warning Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.