When your code runs within AWS, it will run under a certain IAM Role which allows your code to perform certain limited functions.
- Lambda functions that call out to other AWS services require additional permissions. You can add permissions by attaching a Policy to your role.
To add permissions to your role:
- Login to your AWS Account Console, then locate the IAM service, then click Roles.
- Locate the role you would like to modify, such as
lambda_basic_execution
and click on it. - Click the blue Attach Policy button to add to your role.
- Within the Attach Policy list, type in the name of the AWS service you are interested in using.
- For example, search for
S3
,Dynamo
, orSES
, etc.
- Locate a role that corresponds to the permissions you will need.
- For example
AmazonS3ReadOnlyAccess
allows your function to read S3 filesAmazonS3FullAccess
allows your function to perform any S3 action including read and write
- Click the checkbox next to the Policy, and then click the blue Attach Policy button.
- Return to your Lambda function and test. Your code should now be able to access the services you granted to your role.
For finer grained security, you can define a more specific policy that grants access to only certain actions and resources within AWS.
Within the Role details page, instead of clicking the "Attach Policy" button, scroll down and click the second blue button: Create Role Policy and define the specific actions and resources your role will need.
Read more about Lambda IAM Roles & Policies
Back to the [Home Page](./README.md#title)