0

I'm trying to get into the whole IAM setup. I have a role that I want a lambda to be able to assume. So, I have my Trust Relationship policy setup like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Now, as far as I understand, this would allow any lambda to assume this role.
Can I narrow this in a bit more, so it's only one specific lambda, that is allowed to assume it?

I've tried to replace "Service": "lambda.amazonaws.com" with the arn of the lambda, but it didn't really work out for me :/

Improve this question
1
  • 1
    I'm not sure AWS allows Resource level permission for this, but the way to go about this would be to add "Resource": <Lambda ARN> under Action Commented Sep 15, 2019 at 3:40

1 Answer 1

Reset to default
2

I think that it's actually the other way around...

When creating the Lambda function, you can specify the role for it to use. The ability to allow a function to use a Role requires the iam:PassRole permission. Anyone with this permission can configure a Lambda function to use a specific (or any) IAM Role.

Here's a sample policy from Granting a User Permissions to Pass a Role to an AWS Service - AWS Identity and Access Management that grants an IAM User the ability to pass a role:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/EC2-roles-for-XYZ-*"
    }]
}

iam:PassRole is a very important permission because it controls who can pass a role to a service. Used incorrectly, users might gain too much permission. For example, let's say that there is an Admin Role that has lots of permissions. Anyone who is granted permission to use PassRole could create a resource (eg Amazon EC2 instance or AWS Lambda function) that uses this role, thereby giving them Admin capabilities. For this reason, the ability to use PassRole should be strictly controlled.

Therefore, rather than the role trusting a Lambda function, you actually need a user with PassRole to assign the role to the function.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.