Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Creating an IAM Policy to Access AWS Lambda Resources

You can use the following steps to create an IAM policy that provides the minimum required permissions for Aurora to invoke an AWS Lambda function on your behalf. To allow Aurora to invoke all of your AWS Lambda functions, you can skip these steps and use the predefined AWSLambdaRole policy instead of creating your own.

To create an IAM policy to grant invoke to your AWS Lambda functions:

  1. Open the IAM Console.

  2. In the navigation pane, choose Policies.

  3. Choose Create Policy.

  4. For the Policy Generator option, choose Select.

  5. In Edit Permissions, set the following values:

    • EffectAllow

    • AWS ServiceAWS Lambda

    • ActionsInvokeFunction

      These permissions are the minimum required to enable Amazon Aurora to invoke an AWS Lambda function.

  6. Set Amazon Resource Name (ARN) to the ARN of the Lambda function to allow access to. For instance, if you want to allow Aurora to access a Lambda function named example_function, then set the ARN value to arn:aws:lambda:::function:example_function.

    For more information on how to define an access policy for AWS Lambda, see Authentication and Access Control for AWS Lambda.

  7. Choose Add Statement.

    You can repeat this and the previous step to add multiple ARNs to your policy and allow Aurora to invoke more than one Lambda function.

  8. Choose Next Step.

  9. Set the Policy Name to a name for your IAM policy, for example AllowAuroraToExampleFunction. You will use this name when you create an IAM role to associate with your Aurora DB cluster. You can also add an optional Description value.

  10. Choose Create Policy.