Creating an IAM policy to access Amazon Lambda resources - Amazon Aurora
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating an IAM policy to access Amazon Lambda resources

You can create an IAM policy that provides the minimum required permissions for Aurora to invoke an Amazon Lambda function on your behalf.

The following policy adds the permissions required by Aurora to invoke an Amazon Lambda function on your behalf.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAuroraToExampleFunction",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws-cn:lambda:<region>:<123456789012>:function:<example_function>"
        }
    ]
}

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to invoke an Amazon Lambda function on your behalf. To allow Aurora to invoke all of your Amazon Lambda functions, you can skip these steps and use the predefined AWSLambdaRole policy instead of creating your own.

To create an IAM policy to grant invoke to your Amazon Lambda functions

  1. Open the IAM console.

  2. In the navigation pane, choose Policies.

  3. Choose Create policy.

  4. On the Visual editor tab, choose Choose a service, and then choose Lambda.

  5. For Actions, choose Expand all, and then choose the Amazon Lambda permissions needed for the IAM policy.

    Ensure that InvokeFunction is selected. It is the minimum required permission to enable Amazon Aurora to invoke an Amazon Lambda function.

  6. Choose Resources and choose Add ARN for function.

  7. In the Add ARN(s) dialog box, provide the details about your resource.

    Specify the Lambda function to allow access to. For instance, if you want to allow Aurora to access a Lambda function named example_function, then set the ARN value to arn:aws-cn:lambda:::function:example_function.

    For more information on how to define an access policy for Amazon Lambda, see Authentication and access control for Amazon Lambda.

  8. Optionally, choose Add additional permissions to add another Amazon Lambda function to the policy, and repeat the previous steps for the function.

    Note

    You can repeat this to add corresponding function permission statements to your policy for each Amazon Lambda function that you want Aurora to access.

  9. Choose Review policy.

  10. Set Name to a name for your IAM policy, for example AllowAuroraToExampleFunction. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional Description value.

  11. Choose Create policy.

  12. Complete the steps in Creating an IAM role to allow Amazon Aurora to access Amazon services.