# 在 Lambda 中查看基于资源的 IAM 策略
<a name="access-control-resource-based"></a>

Lambda 支持将基于资源的权限策略用于 Lambda 函数和层。您可以使用基于资源的策略向其他 [Amazon 账户](permissions-function-cross-account.md)、[组织](permissions-function-organization.md)或[服务](permissions-function-services.md)授予访问权限。基于资源的策略应用于单个函数、版本、别名或层版本。

------
#### [ Console ]

**查看函数的基于资源的策略**

1. 打开 Lamba 控制台的[函数](https://console.amazonaws.cn/lambda/home#/functions)页面。

1. 选择函数。

1. 选择 **Configuration (配置)**，然后选择 **Permissions (权限)**。

1. 向下滚动到 ** Resource-based policy (基于资源的策略)**，然后选择 ** View policy document (查看策略文档)**。基于资源的策略显示了在其他账户或 Amazon 服务尝试访问该函数时应用的权限。以下示例显示了一个语句，该语句允许 Amazon S3 调用为账户 `123456789012` 中名为 `amzn-s3-demo-bucket` 的存储桶调用名为 `my-function` 的函数。  
**Example 基于资源的策略**    
****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Id": "default",
       "Statement": [
           {
               "Sid": "lambda-allow-s3-my-function",
               "Effect": "Allow",
               "Principal": {
                 "Service": "s3.amazonaws.com.cn"
               },
               "Action": "lambda:InvokeFunction",
               "Resource":  "arn:aws:lambda:cn-north-1:123456789012:function:my-function",
               "Condition": {
                 "StringEquals": {
                   "AWS:SourceAccount": "123456789012"
                 },
                 "ArnLike": {
                   "AWS:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket"
                 }
               }
           }
        ]
   }
   ```

------
#### [ Amazon CLI ]

要查看函数的基于资源的策略，请使用 `get-policy` 命令。

```
aws lambda get-policy \
  --function-name my-function \
  --output text
```

您应看到以下输出：

****  

```
{"Version":"2012-10-17",		 	 	 "Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com.cn"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:cn-north-1:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]}
```

对于版本和别名，请在函数名后面附加版本号或别名。

```
aws lambda get-policy --function-name my-function:PROD
```

要从函数中删除权限，请使用 `remove-permission`。

```
aws lambda remove-permission \
  --function-name example \
  --statement-id sns
```

使用 `get-layer-version-policy` 命令可查看层上的权限。

```
aws lambda get-layer-version-policy \
  --layer-name my-layer \
  --version-number 3 \
  --output text
```

您应看到以下输出：

```
b0cd9796-d4eb-4564-939f-de7fe0b42236    {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"
```

使用 `remove-layer-version-permission` 可从策略中删除语句。

```
aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-org
```

------

## 支持的 API 操作
<a name="permissions-resource-api"></a>

以下 Lambda API 操作支持基于资源的策略：
+ [CreateAlias](https://docs.amazonaws.cn/lambda/latest/api/API_CreateAlias.html)
+ [DeleteAlias](https://docs.amazonaws.cn/lambda/latest/api/API_DeleteAlias.html)
+ [DeleteFunction](https://docs.amazonaws.cn/lambda/latest/api/API_DeleteFunction.html)
+ [DeleteFunctionConcurrency](https://docs.amazonaws.cn/lambda/latest/api/API_DeleteFunctionConcurrency.html)
+ [DeleteFunctionEventInvokeConfig](https://docs.amazonaws.cn/lambda/latest/api/API_DeleteFunctionEventInvokeConfig.html)
+ [DeleteProvisionedConcurrencyConfig](https://docs.amazonaws.cn/lambda/latest/api/API_DeleteProvisionedConcurrencyConfig.html)
+ [GetAlias](https://docs.amazonaws.cn/lambda/latest/api/API_GetAlias.html)
+ [GetFunction](https://docs.amazonaws.cn/lambda/latest/api/API_GetFunction.html)
+ [GetFunctionConcurrency](https://docs.amazonaws.cn/lambda/latest/api/API_GetFunctionConcurrency.html)
+ [GetFunctionConfiguration](https://docs.amazonaws.cn/lambda/latest/api/API_GetFunctionConfiguration.html)
+ [GetFunctionEventInvokeConfig](https://docs.amazonaws.cn/lambda/latest/api/API_GetFunctionEventInvokeConfig.html)
+ [GetPolicy](https://docs.amazonaws.cn/lambda/latest/api/API_GetPolicy.html)
+ [GetProvisionedConcurrencyConfig](https://docs.amazonaws.cn/lambda/latest/api/API_GetProvisionedConcurrencyConfig.html)
+ [Invoke](https://docs.amazonaws.cn/lambda/latest/api/API_Invoke.html)
+ [InvokeFunctionUrl](urls-auth.md)（仅权限）
+ [ListAliases](https://docs.amazonaws.cn/lambda/latest/api/API_ListAliases.html)
+ [ListFunctionEventInvokeConfigs](https://docs.amazonaws.cn/lambda/latest/api/API_ListFunctionEventInvokeConfigs.html)
+ [ListProvisionedConcurrencyConfigs](https://docs.amazonaws.cn/lambda/latest/api/API_ListProvisionedConcurrencyConfigs.html)
+ [ListTags](https://docs.amazonaws.cn/lambda/latest/api/API_ListTags.html)
+ [ListVersionsByFunction](https://docs.amazonaws.cn/lambda/latest/api/API_ListVersionsByFunction.html)
+ [PublishVersion](https://docs.amazonaws.cn/lambda/latest/api/API_PublishVersion.html)
+ [PutFunctionConcurrency](https://docs.amazonaws.cn/lambda/latest/api/API_PutFunctionConcurrency.html)
+ [PutFunctionEventInvokeConfig](https://docs.amazonaws.cn/lambda/latest/api/API_PutFunctionEventInvokeConfig.html)
+ [PutProvisionedConcurrencyConfig](https://docs.amazonaws.cn/lambda/latest/api/API_PutProvisionedConcurrencyConfig.html)
+ [TagResource](https://docs.amazonaws.cn/lambda/latest/api/API_TagResource.html)
+ [UntagResource](https://docs.amazonaws.cn/lambda/latest/api/API_UntagResource.html)
+ [UpdateAlias](https://docs.amazonaws.cn/lambda/latest/api/API_UpdateAlias.html)
+ [UpdateFunctionCode](https://docs.amazonaws.cn/lambda/latest/api/API_UpdateFunctionCode.html)
+ [UpdateFunctionEventInvokeConfig](https://docs.amazonaws.cn/lambda/latest/api/API_UpdateFunctionEventInvokeConfig.html)