0

Is it possible to use Lambda function environment variables in IAM policy conditions.???.

Basically, In my app each user has a to-do-list which can update. In database (dynamoDB), I have a table (todo table). So each user can update the record related it own id.

In my system, basically a client user (cognito user) sends an API request to API gateway. And the API endpoint trigger lambda function and lambda function write data on database table.

So Thing I want to do is putting a control in lambda function execution role policy, this control will check whether the user id of user who trigger function match the user id in requested record.

Therefore, I create a global enviroment variable called "usr_id" but I could not see any way to use this varible in IAM policy condition.

Is there any way to access lambda enviroment variable or any value (which we can assign usr_id) in IAM policy ???

a general structure of a reques in my system

Thanks

M. Said Nur
  • 1
  • 1
    No, and I do not see how this would help you anyway. Why is the usr_id an environment variable in the first place, does every user have their own lambda deployed? You can always use https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html or write your permission logic within your lambda. Only the most basic user permissions can be handled by IAM, everything else needs custom code. – luk2302 Dec 30 '21 at 13:16
  • Thanks for answering. No, all users use same endpoint, meaning that all user triggers same function. I know that this can be handled by put some control in function code. But I should put all restriction in access policy if it is possible. I check AWS documentations a lot but I could not find a way to do. – M. Said Nur Dec 30 '21 at 13:32
  • You can potentially do [item-level access using Cognito](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_dynamodb_items.html) but you might have to do the DynamoDB access directly from the context in which you have the Cognito credentials (your client, presumably) so that the DynamoDB calls are made in the context of the relevant Cognito ID. – jarmod Dec 30 '21 at 20:18

0 Answers0