1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. lambda
  5. Permission

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.37.0 published on Wednesday, Oct 15, 2025 by Pulumi
pulumi/pulumi-aws-native

aws-native.lambda.Permission

Get Started
aws-native logo

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.37.0 published on Wednesday, Oct 15, 2025 by Pulumi
pulumi/pulumi-aws-native

    The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in AOlong, specify the organization ID as the PrincipalOrgID. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com. For AWS services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. If your function has a function URL, you can specify the FunctionUrlAuthType parameter. This adds a condition to your permission that only applies when your function URL’s AuthType matches the specified FunctionUrlAuthType. For more information about the AuthType parameter, see Security and auth model for function URLs. This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies.

    Create Permission Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Permission(name: string, args: PermissionArgs, opts?: CustomResourceOptions);
    @overload
def Permission(resource_name: str,
               args: PermissionArgs,
               opts: Optional[ResourceOptions] = None)

@overload
def Permission(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               action: Optional[str] = None,
               function_name: Optional[str] = None,
               principal: Optional[str] = None,
               event_source_token: Optional[str] = None,
               function_url_auth_type: Optional[PermissionFunctionUrlAuthType] = None,
               invoked_via_function_url: Optional[bool] = None,
               principal_org_id: Optional[str] = None,
               source_account: Optional[str] = None,
               source_arn: Optional[str] = None)
    func NewPermission(ctx *Context, name string, args PermissionArgs, opts ...ResourceOption) (*Permission, error)
    public Permission(string name, PermissionArgs args, CustomResourceOptions? opts = null)
    public Permission(String name, PermissionArgs args)
public Permission(String name, PermissionArgs args, CustomResourceOptions options)

    type: aws-native:lambda:Permission
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Permission Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Permission resource accepts the following input properties:

    Action string
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    FunctionName string

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    Principal string
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    EventSourceToken string
    For Alexa Smart Home functions, a token that the invoker must supply.
    FunctionUrlAuthType Pulumi.AwsNative.Lambda.PermissionFunctionUrlAuthType
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    InvokedViaFunctionUrl bool
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    PrincipalOrgId string
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    SourceAccount string
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    SourceArn string
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.
    Action string
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    FunctionName string

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    Principal string
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    EventSourceToken string
    For Alexa Smart Home functions, a token that the invoker must supply.
    FunctionUrlAuthType PermissionFunctionUrlAuthType
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    InvokedViaFunctionUrl bool
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    PrincipalOrgId string
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    SourceAccount string
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    SourceArn string
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.
    action String
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    functionName String

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    principal String
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    eventSourceToken String
    For Alexa Smart Home functions, a token that the invoker must supply.
    functionUrlAuthType PermissionFunctionUrlAuthType
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    invokedViaFunctionUrl Boolean
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    principalOrgId String
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    sourceAccount String
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    sourceArn String
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.
    action string
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    functionName string

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    principal string
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    eventSourceToken string
    For Alexa Smart Home functions, a token that the invoker must supply.
    functionUrlAuthType PermissionFunctionUrlAuthType
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    invokedViaFunctionUrl boolean
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    principalOrgId string
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    sourceAccount string
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    sourceArn string
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.
    action str
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    function_name str

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    principal str
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    event_source_token str
    For Alexa Smart Home functions, a token that the invoker must supply.
    function_url_auth_type PermissionFunctionUrlAuthType
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    invoked_via_function_url bool
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    principal_org_id str
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    source_account str
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    source_arn str
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.
    action String
    The action that the principal can use on the function. For example, lambda:InvokeFunction or lambda:GetFunction.
    functionName String

    The name or ARN of the Lambda function, version, or alias. Name formats

    • Function namemy-function (name-only), my-function:v1 (with alias).
    • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function.
    • Partial ARN123456789012:function:my-function.

    You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    principal String
    The AWS-service, AWS-account, IAM user, or IAM role that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
    eventSourceToken String
    For Alexa Smart Home functions, a token that the invoker must supply.
    functionUrlAuthType "AWS_IAM" | "NONE"
    The type of authentication that your function URL uses. Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs.
    invokedViaFunctionUrl Boolean
    Restricts the lambda:InvokeFunction action to calls coming from a function URL. When set to true , this prevents the principal from invoking the function by any means other than the function URL. For more information, see Control access to Lambda function URLs .
    principalOrgId String
    The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
    sourceAccount String
    For AWS-service, the ID of the AWS-account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
    sourceArn String
    For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic. Note that Lambda configures the comparison using the StringLike operator.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Permission resource produces the following output properties:

    AwsId string
    Id string
    The provider-assigned unique ID for this managed resource.
    AwsId string
    Id string
    The provider-assigned unique ID for this managed resource.
    awsId String
    id String
    The provider-assigned unique ID for this managed resource.
    awsId string
    id string
    The provider-assigned unique ID for this managed resource.
    aws_id str
    id str
    The provider-assigned unique ID for this managed resource.
    awsId String
    id String
    The provider-assigned unique ID for this managed resource.

    Supporting Types

    PermissionFunctionUrlAuthType, PermissionFunctionUrlAuthTypeArgs

    AwsIam
    AWS_IAM
    None
    NONE
    PermissionFunctionUrlAuthTypeAwsIam
    AWS_IAM
    PermissionFunctionUrlAuthTypeNone
    NONE
    AwsIam
    AWS_IAM
    None
    NONE
    AwsIam
    AWS_IAM
    None
    NONE
    AWS_IAM
    AWS_IAM
    NONE
    NONE
    "AWS_IAM"
    AWS_IAM
    "NONE"
    NONE

    Package Details

    Repository
    AWS Native pulumi/pulumi-aws-native
    License
    Apache-2.0
    aws-native logo

    We recommend new projects start with resources from the AWS provider.

    AWS Cloud Control v1.37.0 published on Wednesday, Oct 15, 2025 by Pulumi
    pulumi/pulumi-aws-native
      Meet Neo: Your AI Platform Teammate