Docs Home
We recommend new projects start with resources from the AWS provider.
aws-native.lambda.Permission
Explore with Pulumi AI
We recommend new projects start with resources from the AWS provider.
The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.
To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in AOlong, specify the organization ID as the PrincipalOrgID. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com. For AWS services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
If your function has a function URL, you can specify the FunctionUrlAuthType parameter. This adds a condition to your permission that only applies when your function URL’s AuthType matches the specified FunctionUrlAuthType. For more information about the AuthType parameter, see Security and auth model for function URLs.
This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies.
Create Permission Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Permission(name: string, args: PermissionArgs, opts?: CustomResourceOptions);@overload
def Permission(resource_name: str,
args: PermissionArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Permission(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
function_name: Optional[str] = None,
principal: Optional[str] = None,
event_source_token: Optional[str] = None,
function_url_auth_type: Optional[lambda_.PermissionFunctionUrlAuthType] = None,
principal_org_id: Optional[str] = None,
source_account: Optional[str] = None,
source_arn: Optional[str] = None)func NewPermission(ctx *Context, name string, args PermissionArgs, opts ...ResourceOption) (*Permission, error)public Permission(string name, PermissionArgs args, CustomResourceOptions? opts = null)public Permission(String name, PermissionArgs args)
public Permission(String name, PermissionArgs args, CustomResourceOptions options)
type: aws-native:lambda:Permission
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. PermissionArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. PermissionArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. PermissionArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. PermissionArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. PermissionArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Permission Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Permission resource accepts the following input properties:
- Action
This property is required. string - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - Function
Name This property is required. string The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- Principal
This property is required. string - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - Event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- Function
Url Pulumi.Auth Type Aws Native. Lambda. Permission Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - Principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- Source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - Source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- Action
This property is required. string - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - Function
Name This property is required. string The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- Principal
This property is required. string - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - Event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- Function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - Principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- Source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - Source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action
This property is required. String - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name This property is required. String The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal
This property is required. String - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source StringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org StringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account String - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn String - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action
This property is required. string - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name This property is required. string The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal
This property is required. string - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action
This property is required. str - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function_
name This property is required. str The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal
This property is required. str - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event_
source_ strtoken - For Alexa Smart Home functions, a token that the invoker must supply.
- function_
url_ lambda_.auth_ type Permission Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal_
org_ strid - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source_
account str - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source_
arn str - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action
This property is required. String - The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name This property is required. String The name or ARN of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal
This property is required. String - The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source StringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url "AWS_IAM" | "NONE"Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org StringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account String - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn String - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
Outputs
All input properties are implicitly available as output properties. Additionally, the Permission resource produces the following output properties:
Supporting Types
PermissionFunctionUrlAuthType, PermissionFunctionUrlAuthTypeArgs
- Aws
Iam - AWS_IAM
- None
- NONE
- Permission
Function Url Auth Type Aws Iam - AWS_IAM
- Permission
Function Url Auth Type None - NONE
- Aws
Iam - AWS_IAM
- None
- NONE
- Aws
Iam - AWS_IAM
- None
- NONE
- AWS_IAM
- AWS_IAM
- NONE
- NONE
- "AWS_IAM"
- AWS_IAM
- "NONE"
- NONE
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
We recommend new projects start with resources from the AWS provider.