Versioning, Aliases, and Resource Policies
With versioning and aliases you can access a Lambda function using various ARNs. For example, consider the following scenario:
You can invoke for example the
helloworld function version 1 using any of the
following two ARNs:
Using the qualified function ARN:Copy
An unqualified function ARN (function ARN without a version or alias suffix), maps to the
Using the BETA alias ARN:Copy
In a push model, event sources (such as Amazon S3 and custom applications) can invoke any of the Lambda function versions as long you grant the necessary permissions to these event sources by using an access policy associated with the Lambda function. For more information about the push model, see Event Source Mapping.
Assuming that you grant permission, the next question is, "can an event source invoke a function version using any of the associated ARNs?" The answer is, it depends on how you identified function in your add permissions request (see AddPermission). The key to understanding this is that the permission you grant apply only to the ARN used in the add permission request:
If you use a qualified function name (such as
helloworld:1), the permission is valid for invoking the
helloworldfunction version 1 only using its qualified ARN (using any other ARNs will result in a permission error).
If you use an alias name (such as
helloworld:BETA), the permission is valid only for invoking the
helloworldfunction using the BETA alias ARN (using any other ARNs will result in a permission error, including the function version ARN to which the alias points).
If you use an unqualified function name (such as
helloworld), the permission is valid only for invoking the
helloworldfunction using the unqualified function ARN (using any other ARNs will result in a permission error).
Note that even though the access policy is only on the unqualified ARN, the code and configuration of the invoked Lambda function is still from function version
$LATEST. The unqualified function ARN maps to the
$LATESTversion but the permissions you add are ARN-specific.
If you use a qualified function name using the
helloworld:$LATEST), the permission is valid for invoking the
$LATESTonly using its qualified ARN (using unqualified ARN will result in a permission error).