Step 2: Configure permissions for a custom Amazon AppConfig extension
Use the following procedure to create and configure an Amazon Identity and Access Management (IAM) service role (or assume role). Amazon AppConfig uses this role to invoke the Lambda function.
To create an IAM service role and allow Amazon AppConfig to assume it
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles, and then choose Create role.
-
Under Select type of trusted entity, choose Custom trust policy.
-
Paste the following JSON policy into the Custom trust policy field.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "appconfig.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Choose Next.
-
On the Add permissions page, choose Create policy. The Create policy page opens in a new tab.
-
Choose the JSON tab, and then paste the following permission policy into the editor. The
lambda:InvokeFunction
action is used forPRE_*
action points. Thelambda:InvokeAsync
action is used forON_*
action points. ReplaceYour Lambda ARN
with the Amazon Resource Name (ARN) of your Lambda.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:InvokeFunction", "lambda:InvokeAsync" ], "Resource": "
Your Lambda ARN
" } ] } -
Choose Next: Tags.
-
On the Add tags (Optional) page, add one or more key-value pairs and then choose Next: Review.
-
On the Review policy page enter a name and a description, and then choose Create policy.
-
On the browser tab for your custom trust policy, choose the Refresh icon and then search for the permission policy you just created.
-
Select the check box for your permission policy and then choose Next.
-
On the Name, review, and create page, enter a name in the Role name box, and then enter a description.
-
Choose Create role. The system returns you to the Roles page. Choose View role in the banner.
-
Copy the ARN. You specify this ARN when you create the extension.