I wasn't able to find it, Googling far and wide... I tried using Amazon.Lambda.AmazonLambdaClient, Amazon.IdentityManagement.AmazonIdentityManagementServiceClient and other APIs with no luck.
I am able to read the policy using var policy = await lambdaClient.GetPolicyAsync(new GetPolicyRequest{FunctionName = "my-lambda" });, but not change it.
In AWS Console, that's the page:
Grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function
Granting function access to AWS services
To grant Amazon S3 permission to invoke a function
var params = {
Action: "lambda:InvokeFunction",
FunctionName: "my-function",
Principal: "s3.amazonaws.com",
SourceAccount: "123456789012",
SourceArn: "arn:aws:s3:::my-bucket-1xpuxmplzrlbh/*",
StatementId: "s3"
};
lambda.addPermission(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
/*
data = {
Statement: "{\"Sid\":\"s3\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"s3.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-2:123456789012:function:my-function\",\"Condition\":{\"StringEquals\":{\"AWS:SourceAccount\":\"123456789012\"},\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:s3:::my-bucket-1xpuxmplzrlbh\"}}}"
}
*/
});
