Docs
PackagesAWS Native is in preview. AWS Classic is fully supported.
aws-native.lambda.Permission
Explore with Pulumi AI
AWS Native is in preview. AWS Classic is fully supported.
The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.
To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in AOlong, specify the organization ID as the PrincipalOrgID. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com. For AWS services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
If your function has a fu
Create Permission Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Permission(name: string, args: PermissionArgs, opts?: CustomResourceOptions);@overload
def Permission(resource_name: str,
args: PermissionArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Permission(resource_name: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
function_name: Optional[str] = None,
principal: Optional[str] = None,
event_source_token: Optional[str] = None,
function_url_auth_type: Optional[lambda_.PermissionFunctionUrlAuthType] = None,
principal_org_id: Optional[str] = None,
source_account: Optional[str] = None,
source_arn: Optional[str] = None)func NewPermission(ctx *Context, name string, args PermissionArgs, opts ...ResourceOption) (*Permission, error)public Permission(string name, PermissionArgs args, CustomResourceOptions? opts = null)
public Permission(String name, PermissionArgs args)
public Permission(String name, PermissionArgs args, CustomResourceOptions options)
type: aws-native:lambda:Permission
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PermissionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PermissionArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PermissionArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PermissionArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PermissionArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Example
The following reference example uses placeholder values for all input properties.
Coming soon!
Coming soon!
Coming soon!
Coming soon!
const aws_nativePermissionResource = new aws_native.lambda.Permission("aws-nativePermissionResource", {
action: "string",
functionName: "string",
principal: "string",
eventSourceToken: "string",
functionUrlAuthType: aws_native.lambda.PermissionFunctionUrlAuthType.AwsIam,
principalOrgId: "string",
sourceAccount: "string",
sourceArn: "string",
});
Coming soon!
Permission Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Permission resource accepts the following input properties:
- Action string
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - Function
Name string The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- Principal string
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - Event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- Function
Url Pulumi.Auth Type Aws Native. Lambda. Permission Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - Principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- Source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - Source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- Action string
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - Function
Name string The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- Principal string
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - Event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- Function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - Principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- Source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - Source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action String
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name String The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal String
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source StringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org StringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account String - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn String - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action string
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name string The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal string
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source stringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url PermissionAuth Type Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org stringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account string - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn string - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action str
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function_
name str The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal str
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event_
source_ strtoken - For Alexa Smart Home functions, a token that the invoker must supply.
- function_
url_ lambda_.auth_ type Permission Function Url Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal_
org_ strid - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source_
account str - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source_
arn str - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
- action String
- The action that the principal can use on the function. For example,
lambda:InvokeFunctionorlambda:GetFunction. - function
Name String The name of the Lambda function, version, or alias. Name formats
- Function name –
my-function(name-only),my-function:v1(with alias). - Function ARN –
arn:aws:lambda:us-west-2:123456789012:function:my-function. - Partial ARN –
123456789012:function:my-function.
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
- Function name –
- principal String
- The AWS-service or AWS-account that invokes the function. If you specify a service, use
SourceArnorSourceAccountto limit who can invoke the function through that service. - event
Source StringToken - For Alexa Smart Home functions, a token that the invoker must supply.
- function
Url "AWS_IAM" | "NONE"Auth Type - The type of authentication that your function URL uses. Set to
AWS_IAMif you want to restrict access to authenticated users only. Set toNONEif you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs. - principal
Org StringId - The identifier for your organization in AOlong. Use this to grant permissions to all the AWS-accounts under this organization.
- source
Account String - For AWS-service, the ID of the AWS-account that owns the resource. Use this together with
SourceArnto ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account. - source
Arn String - For AWS-services, the ARN of the AWS resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the
StringLikeoperator.
Outputs
All input properties are implicitly available as output properties. Additionally, the Permission resource produces the following output properties:
Supporting Types
PermissionFunctionUrlAuthType, PermissionFunctionUrlAuthTypeArgs
- Aws
Iam - AWS_IAM
- None
- NONE
- Permission
Function Url Auth Type Aws Iam - AWS_IAM
- Permission
Function Url Auth Type None - NONE
- Aws
Iam - AWS_IAM
- None
- NONE
- Aws
Iam - AWS_IAM
- None
- NONE
- AWS_IAM
- AWS_IAM
- NONE
- NONE
- "AWS_IAM"
- AWS_IAM
- "NONE"
- NONE
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
AWS Native is in preview. AWS Classic is fully supported.