# Creating an IAM policy to access Amazon Lambda resources
<a name="AuroraMySQL.Integrating.Authorizing.IAM.LambdaCreatePolicy"></a>

You can create an IAM policy that provides the minimum required permissions for Aurora to invoke an Amazon Lambda function on your behalf.

The following policy adds the permissions required by Aurora to invoke an Amazon Lambda function on your behalf.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "AllowAuroraToExampleFunction",
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws-cn:lambda:us-east-1:123456789012:function:example_function"
    }
  ]
}
```

------

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to invoke an Amazon Lambda function on your behalf. To allow Aurora to invoke all of your Amazon Lambda functions, you can skip these steps and use the predefined `AWSLambdaRole` policy instead of creating your own.

**To create an IAM policy to grant invoke to your Amazon Lambda functions**

1. Open the [IAM console](https://console.amazonaws.cn/iam/home?#home).

1. In the navigation pane, choose **Policies**.

1. Choose **Create policy**.

1. On the **Visual editor** tab, choose **Choose a service**, and then choose **Lambda**.

1. For **Actions**, choose **Expand all**, and then choose the Amazon Lambda permissions needed for the IAM policy.

   Ensure that `InvokeFunction` is selected. It is the minimum required permission to enable Amazon Aurora to invoke an Amazon Lambda function.

1. Choose **Resources** and choose **Add ARN** for **function**.

1. In the **Add ARN(s)** dialog box, provide the details about your resource.

   Specify the Lambda function to allow access to. For instance, if you want to allow Aurora to access a Lambda function named `example_function`, then set the ARN value to `arn:aws-cn:lambda:::function:example_function`. 

   For more information on how to define an access policy for Amazon Lambda, see [Authentication and access control for Amazon Lambda](https://docs.amazonaws.cn/lambda/latest/dg/lambda-auth-and-access-control.html).

1. Optionally, choose **Add additional permissions** to add another Amazon Lambda function to the policy, and repeat the previous steps for the function.
**Note**  
You can repeat this to add corresponding function permission statements to your policy for each Amazon Lambda function that you want Aurora to access.

1. Choose **Review policy**.

1. Set **Name** to a name for your IAM policy, for example `AllowAuroraToExampleFunction`. You use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional **Description** value.

1. Choose **Create policy**.

1. Complete the steps in [Creating an IAM role to allow Amazon Aurora to access Amazon services](AuroraMySQL.Integrating.Authorizing.IAM.CreateRole.md).