Granting function access to an organization
To grant permissions to an organization in Amazon Organizations, specify the organization ID as the principal-org-id
.
The following add-permissiono-a1b2c3d4e5f
.
aws lambda add-permission \ --function-name example \ --statement-id PrincipalOrgIDExample \ --action lambda:InvokeFunction \ --principal * \ --principal-org-id o-a1b2c3d4e5f
Note
In this command, Principal
is *
. This means that all users in the organization
o-a1b2c3d4e5f
get function invocation permissions. If you specify an Amazon Web Services account or role as the
Principal
, then only that principal gets function invocation permissions, but only if they are
also part of the o-a1b2c3d4e5f
organization.
This command creates a resource-based policy that looks like the following:
For more information, see aws:PrincipalOrgID in the IAM user guide.