AWS AppConfig Validation Lambda Policy in SAM Template

Question

I’m trying to add a policy to a lambda to allow AppConfig to invoke it. I can do this through the terminal using this command:

aws lambda add-permission --function-name ConfigValidator.Arn --action lambda:InvokeFunction --statement-id appconfig --principal appconfig.amazonaws.com --output json --region eu-west-1

But how can this be done automatically through the SAM template?

Welcome to SO. How does your SAM template look like at the moment? — st.huber, Nov 16 '21 at 10:36

score 1 · Answer 1 · answered Nov 26 '21 at 19:42

Here is how I do this:

Create a managed policy with access to your AppConfig
Attach that managed policy to the role your lambda is configured to use

Here is the code using CDK (CDK is the latest and greatest tool to create AWS resources, I highly recommend using it!).

If you don't want to use CDK you can manually setup the same managed policies by hand.

Detailed example below:

Create a managed policy with access to your AppConfig

const resourceArn = `arn:aws:appconfig:${props.region}:${props.accountId}:application/${this.appConfigApplication.ref}*`
this.appConfigReaderManagedPolicy = new ManagedPolicy(this, `AppConfigReader-${id}`, {
    managedPolicyName: `AppConfigReader-${id}`,
    description: `Readonly access to ${id}`,
    statements: [
        new PolicyStatement({
            resources: [resourceArn],
            actions: [
                'appconfig:GetConfiguration',
                'appconfig:GetApplication',
            ]
        })
    ]
})

Attach that managed policy to the role your lambda is configured to use

//assuming your lambda is already configured somewhere

this.lambdaFunction.role.addManagedPolicy(this.appConfigReaderManagedPolicy)

AWS AppConfig Validation Lambda Policy in SAM Template

1 Answers1

Create a managed policy with access to your AppConfig

Attach that managed policy to the role your lambda is configured to use