1

Policy definition of AWS managed policy(AWSLambdaExecute) is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute, as shown below:

Type: AWS::Serverless::Function
  Properties:
    Handler: index.js
    Runtime: nodejs8.10
    CodeUri: 's3://my-code-bucket/my-function.zip'
    Description: Creates thumbnails of uploaded images
    MemorySize: 1024
    Timeout: 15
    Policies:
     - AWSLambdaExecute # Managed Policy
     - Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

that does not match with the above definition.

Edit:

Below is the sample function's execution role... I do not see AWS mananged execution role names(such as AWSLambdaBasicExecutionRole). Because my understanding is, AWSLambdaBasicExecutionRole role should be assigned to Lambda, by default

enter image description here

Are we overriding the policy definition of AWSLambdaExecute in this example?

overexchange
  • 15,768
  • 30
  • 152
  • 347

3 Answers3

2

When you are specifying policies, you are basically building an execution role your lambda function.

Policies is a list of policies because role can include multiple policies in it.

This line 

- AWSLambdaExecute # Managed Policy

states that the lambda function that you are creating should include this AWS managed policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Following lines:

- Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

are specifying next policy that you want to include in your lambda execution role.

Are we overriding the policy definition of AWSLambdaExecute in this example?

No, we are adding multiple policies to lambda execution role, one of them is AWS managed policy and one is our own custom policy. So the lambda function will have permissions defined in both of them. Or more precisely, union of those policies will be made and lambda function will have permissions defined by that union, meaning that if one of the policies allows lambda function to do something and the other denies the same thing, the result will be that the action will be denied.

Matus Dubrava
  • 13,637
  • 2
  • 38
  • 54
  • What is the name of that lambda execution role? Is it `AWSLambdaBasicExecutionRole ` ? – overexchange Jul 14 '19 at 16:35
  • 1
    Yes, the one that is adding permissions to CloudWatch logs is called `AWSLambdaBasicExecutionRole`, but if you are asking what is the name of the new role that is created by cloudformation then the name is unique each time you create a new stack something like `lambda-test-ThumbnailFunctionRole-LWUCKA5ULR2A`. – Matus Dubrava Jul 14 '19 at 16:40
  • Matus , I think the question here is: Does SAM create a new (randomly named) execution role for each lambda function specified in the template? Do you know this? – Martin Löper Jul 14 '19 at 16:43
  • Yup, I have realized that :) And yes, CF will create new role. – Matus Dubrava Jul 14 '19 at 16:43
  • 1
    And if you want to find the exact name of your role, you can go to CloudFormation -> select the newly created stack -> select resources -> look for the role (logical ID of the role will be `NameOfTheFunctionRole` which will have physical ID associated with it) – Matus Dubrava Jul 14 '19 at 16:49
  • How do I see the list of roles assigned to my Lambda function? after deploy – overexchange Jul 14 '19 at 16:56
  • Your lambda function can only have one role at a time. If you are asking how to see list of permissions of the new role then you can either go to IAM and search for that new role or you can go to Lambda service -> select that lambda function -> click on the key icon in designer which will show function policy on the left and execution role on the right (the one that contains those permissions) – Matus Dubrava Jul 14 '19 at 17:00
  • Query edited with screenshot... to my question in previous comment. – overexchange Jul 14 '19 at 17:02
  • That picture shows the name of that new role which has union of permissions constructed from the custom policy and the managed policy defined in your SAM template. – Matus Dubrava Jul 14 '19 at 17:06
  • Little follow up on this... https://stackoverflow.com/q/57029782/3317808 – overexchange Jul 14 '19 at 17:49
  • My own custom policy is creating inline policy but to customer managed policy... https://stackoverflow.com/q/57029985/3317808 – overexchange Jul 14 '19 at 18:16
1

I think what your Policies attribute does, is:

  • attaches the managed policy AWSLambdaExecute and then
  • creates an inline policy for your execution role which grants the s3 permissions s3:GetObject and s3:PutObject. There is another SO post which indicates that SAM now supports defining inline policies. [1]

Defining inline policies does not overwrite anything. You can have multiple different types of policies attached to a single identity (e.g. IAM user or role). [2]

References

[1] https://stackoverflow.com/a/52719165/10473469
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

Martin Löper
  • 6,471
  • 1
  • 16
  • 40
0

Here's my preferred approach (omitting other fields for clarity):

 MyLambdaFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Policies:
        - CloudWatchLambdaInsightsExecutionRolePolicy # AWS Managed Policy
        - AWSXrayWriteOnlyAccess # AWS Managed Policy
        - AWSLambdaExecute # AWS Managed Policy
        - Version: '2012-10-17' # Policy Document to allow S3 access
          Statement:
            - Effect: Allow
             Action:
               - s3:GetObject
               - s3:GetObjectACL
             Resource: 'arn:aws:s3:::my-bucket/*'
rainabba
  • 3,804
  • 35
  • 35