Actions, resources, and condition keys for AWS Lambda - Service Authorization Reference

Actions, resources, and condition keys for AWS Lambda

AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Lambda

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddLayerVersionPermission Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer Permissions management

layerVersion*

AddPermission Grants permission to give an AWS service or another account permission to use an AWS Lambda function Permissions management

function*

lambda:Principal

lambda:FunctionUrlAuthType

CreateAlias Grants permission to create an alias for a Lambda function version Write

function*

CreateCodeSigningConfig Grants permission to create an AWS Lambda code signing config Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateEventSourceMapping Grants permission to create a mapping between an event source and an AWS Lambda function Write

lambda:FunctionArn

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFunction Grants permission to create an AWS Lambda function Write

function*

iam:PassRole

lambda:Layer

lambda:VpcIds

lambda:SubnetIds

lambda:SecurityGroupIds

lambda:CodeSigningConfigArn

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFunctionUrlConfig Grants permission to create a function url configuration for a Lambda function Write

function*

lambda:FunctionUrlAuthType

lambda:FunctionArn

DeleteAlias Grants permission to delete an AWS Lambda function alias Write

function*

DeleteCodeSigningConfig Grants permission to delete an AWS Lambda code signing config Write

code signing config*

DeleteEventSourceMapping Grants permission to delete an AWS Lambda event source mapping Write

eventSourceMapping*

lambda:FunctionArn

DeleteFunction Grants permission to delete an AWS Lambda function Write

function*

DeleteFunctionCodeSigningConfig Grants permission to detach a code signing config from an AWS Lambda function Write

function*

DeleteFunctionConcurrency Grants permission to remove a concurrent execution limit from an AWS Lambda function Write

function*

DeleteFunctionEventInvokeConfig Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias Write

function*

DeleteFunctionUrlConfig Grants permission to delete function url configuration for a Lambda function Write

function*

lambda:FunctionUrlAuthType

lambda:FunctionArn

DeleteLayerVersion Grants permission to delete a version of an AWS Lambda layer Write

layerVersion*

DeleteProvisionedConcurrencyConfig Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function Write

function alias

function version

DeleteResourcePolicy Grants permission to delete the resource-based policy for an AWS Lambda function, version, or alias Permissions management

function*

lambda:RemovePermission

DisableReplication [permission only] Grants permission to disable replication for a Lambda@Edge function Permissions management

function*

EnableReplication [permission only] Grants permission to enable replication for a Lambda@Edge function Permissions management

function*

GetAccountSettings Grants permission to view details about an account's limits and usage in an AWS Region Read
GetAlias Grants permission to view details about an AWS Lambda function alias Read

function*

GetCodeSigningConfig Grants permission to view details about an AWS Lambda code signing config Read

code signing config*

GetEventSourceMapping Grants permission to view details about an AWS Lambda event source mapping Read

eventSourceMapping*

lambda:FunctionArn

GetFunction Grants permission to view details about an AWS Lambda function Read

function*

GetFunctionCodeSigningConfig Grants permission to view the code signing config arn attached to an AWS Lambda function Read

function*

GetFunctionConcurrency Grants permission to view details about the reserved concurrency configuration for a function Read

function*

GetFunctionConfiguration Grants permission to view details about the version-specific settings of an AWS Lambda function or version Read

function*

GetFunctionEventInvokeConfig Grants permission to view the configuration for asynchronous invocation for a function, version, or alias Read

function*

GetFunctionRecursionConfig Grants permission to view the recursion configuration of an AWS Lambda function Read

function*

GetFunctionUrlConfig Grants permission to read function url configuration for a Lambda function Read

function*

lambda:FunctionUrlAuthType

lambda:FunctionArn

GetLayerVersion Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API Read

layerVersion*

GetLayerVersionPolicy Grants permission to view the resource-based policy for a version of an AWS Lambda layer Read

layerVersion*

GetPolicy Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias Read

function*

GetProvisionedConcurrencyConfig Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version Read

function alias

function version

GetPublicAccessBlockConfig Grants permission to view the PublicAccessBlockConfig of an AWS Lambda function Read

function*

GetResourcePolicy Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias Read

function*

lambda:GetPolicy

GetRuntimeManagementConfig Grants permission to view the runtime management configuration of an AWS Lambda function Read

function*

InvokeAsync Grants permission to invoke a function asynchronously (Deprecated) Write

function*

InvokeFunction Grants permission to invoke an AWS Lambda function Write

function*

lambda:EventSourceToken

InvokeFunctionUrl [permission only] Grants permission to invoke an AWS Lambda function through url Write

function*

lambda:FunctionUrlAuthType

lambda:FunctionArn

lambda:EventSourceToken

ListAliases Grants permission to retrieve a list of aliases for an AWS Lambda function List

function*

ListCodeSigningConfigs Grants permission to retrieve a list of AWS Lambda code signing configs List
ListEventSourceMappings Grants permission to retrieve a list of AWS Lambda event source mappings List
ListFunctionEventInvokeConfigs Grants permission to retrieve a list of configurations for asynchronous invocation for a function List

function*

ListFunctionUrlConfigs Grants permission to read function url configurations for a function List

function*

lambda:FunctionUrlAuthType

ListFunctions Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function List
ListFunctionsByCodeSigningConfig Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned List

code signing config*

ListLayerVersions Grants permission to retrieve a list of versions of an AWS Lambda layer List
ListLayers Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer List
ListProvisionedConcurrencyConfigs Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function List

function*

ListTags Grants permission to retrieve a list of tags for an AWS Lambda function, event source mapping or code signing configuration resource Read

code signing config

eventSourceMapping

function

ListVersionsByFunction Grants permission to retrieve a list of versions for an AWS Lambda function List

function*

PublishLayerVersion Grants permission to create an AWS Lambda layer Write

layer*

PublishVersion Grants permission to create an AWS Lambda function version Write

function*

PutFunctionCodeSigningConfig Grants permission to attach a code signing config to an AWS Lambda function Write

code signing config*

function*

lambda:CodeSigningConfigArn

PutFunctionConcurrency Grants permission to configure reserved concurrency for an AWS Lambda function Write

function*

PutFunctionEventInvokeConfig Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias Write

function*

PutFunctionRecursionConfig Grants permission to update the recursion configuration of an AWS Lambda function Write

function*

PutProvisionedConcurrencyConfig Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version Write

function alias

function version

PutPublicAccessBlockConfig Grants permission to update the PublicAccessBlockConfig of an AWS Lambda function Permissions management

function*

PutResourcePolicy Grants permission to update the resource-based policy for an AWS Lambda function, version, or alias Permissions management

function*

lambda:AddPermission

lambda:RemovePermission

PutRuntimeManagementConfig Grants permission to update the runtime management configuration of an AWS Lambda function Write

function*

RemoveLayerVersionPermission Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer Permissions management

layerVersion*

RemovePermission Grants permission to revoke function-use permission from an AWS service or another account Permissions management

function*

lambda:Principal

lambda:FunctionUrlAuthType

TagResource Grants permission to add tags to an AWS Lambda function, event source mapping or code signing configuration resource Tagging

code signing config

eventSourceMapping

function

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from an AWS Lambda function, event source mapping or code signing configuration resource Tagging

code signing config

eventSourceMapping

function

aws:TagKeys

UpdateAlias Grants permission to update the configuration of an AWS Lambda function's alias Write

function*

UpdateCodeSigningConfig Grants permission to update an AWS Lambda code signing config Write

code signing config*

UpdateEventSourceMapping Grants permission to update the configuration of an AWS Lambda event source mapping Write

eventSourceMapping*

lambda:FunctionArn

UpdateFunctionCode Grants permission to update the code of an AWS Lambda function Write

function*

UpdateFunctionCodeSigningConfig Grants permission to update the code signing config of an AWS Lambda function Write

code signing config*

function*

UpdateFunctionConfiguration Grants permission to modify the version-specific settings of an AWS Lambda function Write

function*

lambda:Layer

lambda:VpcIds

lambda:SubnetIds

lambda:SecurityGroupIds

UpdateFunctionEventInvokeConfig Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias Write

function*

UpdateFunctionUrlConfig Grants permission to update a function url configuration for a Lambda function Write

function*

lambda:FunctionUrlAuthType

lambda:FunctionArn

Resource types defined by AWS Lambda

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
code signing config arn:${Partition}:lambda:${Region}:${Account}:code-signing-config:${CodeSigningConfigId}

aws:ResourceTag/${TagKey}

eventSourceMapping arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}

aws:ResourceTag/${TagKey}

function arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}

aws:ResourceTag/${TagKey}

function alias arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}

aws:ResourceTag/${TagKey}

function version arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}

aws:ResourceTag/${TagKey}

layer arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}
layerVersion arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}

Condition keys for AWS Lambda

AWS Lambda defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString
lambda:CodeSigningConfigArn Filters access by the ARN of an AWS Lambda code signing config ARN
lambda:EventSourceToken Filters access by the ID from a non-AWS event source configured for the AWS Lambda function String
lambda:FunctionArn Filters access by the ARN of an AWS Lambda function ARN
lambda:FunctionUrlAuthType Filters access by authorization type specified in request. Available during CreateFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, GetFunctionUrlConfig, ListFunctionUrlConfig, AddPermission and RemovePermission operations String
lambda:Layer Filters access by the ARN of a version of an AWS Lambda layer ArrayOfString
lambda:Principal Filters access by restricting the AWS service or account that can invoke a function String
lambda:SecurityGroupIds Filters access by the ID of security groups configured for the AWS Lambda function ArrayOfString
lambda:SourceFunctionArn Filters access by the ARN of the AWS Lambda function from which the request originated ARN
lambda:SubnetIds Filters access by the ID of subnets configured for the AWS Lambda function ArrayOfString
lambda:VpcIds Filters access by the ID of the VPC configured for the AWS Lambda function String