How to call a list of AWS Lambda permissions for a function

Question

To allow a AWS service to invoke a lambda function you need to apply permissions. The json for this permission could look a little something like so:

{
    "FunctionName": "someFunction", 
    "StatementId": "1", 
    "Action": "lambda:InvokeFunction", 
    "Principal": "codecommit.amazonaws.com", 
    "SourceArn": "arn:aws:codecommit:us-east-1:80398EXAMPLE:MyDemoRepo", 
    "SourceAccount": "80398EXAMPLE"
}

above taken from http://docs.aws.amazon.com/codecommit/latest/userguide/how-to-notify-lambda.html

A permission is easy enough to add using the command line interface (cli). See http://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html. And it can be removed using the command at http://docs.aws.amazon.com/cli/latest/reference/lambda/remove-permission.html

What I cannot find is a way to list existing permissions. I've looked everywhere in the Lambda and the IAM GUI. I've looked at the list of cli commands for Lambda at http://docs.aws.amazon.com/cli/latest/reference/lambda/index.html#cli-aws-lambda - there seems to be no command to list permissions. I also looked at the iam commands for a laugh at http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam. Nothing sticks out there.

So the question : how do you get a list of Lambda permissions? What am I missing here and if it is actually impossible, why? Hopefully some AWS experts out there who can shed light on this

score 37 · Accepted Answer · answered Jun 13 '16 at 15:03

37

This one confused me, too. You can add a permission to a Lambda function with the aws lambda add-permission command in the AWSCLI. You can remove a permission using aws lambda remove-permission. But to see the existing permissions you use aws lambda get-policy.

answered Jun 13 '16 at 15:03

garnaat

44,310
7
123
103

Nailed it! Thank you – James Jones Jun 14 '16 at 02:39
To confirm, to view these, is not possible through the console, correct? I have looked everywhere as well and no luck. This can only be done through the aws cli? – Rakim Nov 14 '19 at 19:16

score 0 · Answer 2 · answered Jun 13 '16 at 11:05

0

I am no AWS expert, though here is my suggestion:

Go to your lambda function detailed view and go the "Event Sources" tab. It list all the sources, which are allowed to push content to your lambda function. From there on you can go to the individual event source to see exact permissions granted (Usually execution permissions, as your statement policy shows).

Hope that helps.

answered Jun 13 '16 at 11:05

Furhan S.

1,494
2
13
22

Just took a look, I get "You do not have any event sources for this function". I should be clear that I am granting permission for Codecommit repo triggers to invoke the function and nothing else. I know that Codecommit triggers are just a few months old - maybe AWS haven't added them as an event source. – James Jones Jun 13 '16 at 11:09
@JamesJones one possibility is event source gets listed upon receiving first event. As Codecommit invokes your lambda (and hence acts as a source), it must be listed here. Try to do a test commit and see afterwards. – Furhan S. Jun 13 '16 at 11:30
Good idea, but I've invoked that badboy several times already. – James Jones Jun 13 '16 at 11:39
@JamesJones Can you check AWS CloudWatch Logs for log file of your lambda function? I am suspecting that your lambda did not get invoked by the CodeCommit (Possibly a configuration issue). If your lambda was invoked, it must have an associated log file in CloudWatch logs. – Furhan S. Jun 13 '16 at 12:40
I have lots of logs in Cloudwatch, yes. I promise it really is being invoked :) – James Jones Jun 13 '16 at 12:42

How to call a list of AWS Lambda permissions for a function

2 Answers2

Linked