Actions, resources, and condition keys for AWS Lambda
AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Lambda
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Access level column of the Actions table describes how the action is classified (List, Read, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Access levels in policy summaries.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
The Dependent actions column of the Actions table shows additional permissions that may be required to successfully call an action. These permissions may be needed in addition to the permission for the action itself. When an action specifies dependent actions, those dependencies may apply to additional resources defined for that action, not only the first resource listed in the table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddLayerVersionPermission | Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer | Permissions management | |||
| AddPermission | Grants permission to give an AWS service or another account permission to use an AWS Lambda function | Permissions management | |||
| CheckpointDurableExecution | Grants permission to save the progress of an AWS Lambda durable execution | Write | |||
| CreateAlias | Grants permission to create an alias for a Lambda function version | Write | |||
| CreateCapacityProvider | Grants permission to create an AWS Lambda capacity provider | Write |
iam:CreateServiceLinkedRole iam:PassRole kms:DescribeKey |
||
| CreateCodeSigningConfig | Grants permission to create an AWS Lambda code signing config | Write | |||
| CreateEventSourceMapping | Grants permission to create a mapping between an event source and an AWS Lambda function | Write | |||
| CreateFunction | Grants permission to create an AWS Lambda function | Write |
iam:PassRole lambda:PassCapacityProvider |
||
| CreateFunctionUrlConfig | Grants permission to create a function url configuration for a Lambda function | Write | |||
| DeleteAlias | Grants permission to delete an AWS Lambda function alias | Write | |||
| DeleteCapacityProvider | Grants permission to delete an AWS Lambda capacity provider | Write | |||
| DeleteCodeSigningConfig | Grants permission to delete an AWS Lambda code signing config | Write | |||
| DeleteEventSourceMapping | Grants permission to delete an AWS Lambda event source mapping | Write | |||
| DeleteFunction | Grants permission to delete an AWS Lambda function | Write | |||
| DeleteFunctionCodeSigningConfig | Grants permission to detach a code signing config from an AWS Lambda function | Write | |||
| DeleteFunctionConcurrency | Grants permission to remove a concurrent execution limit from an AWS Lambda function | Write | |||
| DeleteFunctionEventInvokeConfig | Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias | Write | |||
| DeleteFunctionUrlConfig | Grants permission to delete function url configuration for a Lambda function | Write | |||
| DeleteLayerVersion | Grants permission to delete a version of an AWS Lambda layer | Write | |||
| DeleteProvisionedConcurrencyConfig | Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function | Write | |||
| DisableReplication [permission only] | Grants permission to disable replication for a Lambda@Edge function | Permissions management | |||
| EnableReplication [permission only] | Grants permission to enable replication for a Lambda@Edge function | Permissions management | |||
| GetAccountSettings | Grants permission to view details about an account's limits and usage in an AWS Region | Read | |||
| GetAlias | Grants permission to view details about an AWS Lambda function alias | Read | |||
| GetCapacityProvider | Grants permission to view details about an AWS Lambda capacity provider | Read | |||
| GetCodeSigningConfig | Grants permission to view details about an AWS Lambda code signing config | Read | |||
| GetDurableExecution | Grants permission to view details of an AWS Lambda durable execution | Read | |||
| GetDurableExecutionHistory | Grants permission to view execution history of an AWS Lambda durable execution | Read | |||
| GetDurableExecutionState | Grants permission to view current state of an AWS Lambda durable execution | Read | |||
| GetEventSourceMapping | Grants permission to view details about an AWS Lambda event source mapping | Read | |||
| GetFunction | Grants permission to view details about an AWS Lambda function | Read | |||
| GetFunctionCodeSigningConfig | Grants permission to view the code signing config arn attached to an AWS Lambda function | Read | |||
| GetFunctionConcurrency | Grants permission to view details about the reserved concurrency configuration for a function | Read | |||
| GetFunctionConfiguration | Grants permission to view details about the version-specific settings of an AWS Lambda function or version | Read | |||
| GetFunctionEventInvokeConfig | Grants permission to view the configuration for asynchronous invocation for a function, version, or alias | Read | |||
| GetFunctionRecursionConfig | Grants permission to view the recursion configuration of an AWS Lambda function | Read | |||
| GetFunctionScalingConfig | Grants permission to view the scaling configuration of an AWS Lambda function running on a capacity provider | Read | |||
| GetFunctionUrlConfig | Grants permission to read function url configuration for a Lambda function | Read | |||
| GetLayerVersion | Grants permission to view details about a version of an AWS Lambda layer. Note this action also supports GetLayerVersionByArn API | Read | |||
| GetLayerVersionPolicy | Grants permission to view the resource-based policy for a version of an AWS Lambda layer | Read | |||
| GetPolicy | Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias | Read | |||
| GetProvisionedConcurrencyConfig | Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version | Read | |||
| GetRuntimeManagementConfig | Grants permission to view the runtime management configuration of an AWS Lambda function | Read | |||
| InvokeAsync | Grants permission to invoke a function asynchronously (Deprecated) | Write | |||
| InvokeFunction | Grants permission to invoke an AWS Lambda function | Write | |||
| InvokeFunctionUrl [permission only] | Grants permission to invoke an AWS Lambda function through url | Write | |||
| ListAliases | Grants permission to retrieve a list of aliases for an AWS Lambda function | List | |||
| ListCapacityProviders | Grants permission to retrieve a list of AWS Lambda capacity providers | List | |||
| ListCodeSigningConfigs | Grants permission to retrieve a list of AWS Lambda code signing configs | List | |||
| ListDurableExecutionsByFunction | Grants permission to retrieve a list of AWS Lambda durable executions of an AWS Lambda function | List | |||
| ListEventSourceMappings | Grants permission to retrieve a list of AWS Lambda event source mappings | List | |||
| ListFunctionEventInvokeConfigs | Grants permission to retrieve a list of configurations for asynchronous invocation for a function | List | |||
| ListFunctionUrlConfigs | Grants permission to read function url configurations for a function | List | |||
| ListFunctionVersionsByCapacityProvider | Grants permission to retrieve a list of AWS Lambda function versions by the capacity provider assigned | List | |||
| ListFunctions | Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function | List | |||
| ListFunctionsByCodeSigningConfig | Grants permission to retrieve a list of AWS Lambda functions by the code signing config assigned | List | |||
| ListLayerVersions | Grants permission to retrieve a list of versions of an AWS Lambda layer | List | |||
| ListLayers | Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer | List | |||
| ListProvisionedConcurrencyConfigs | Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function | List | |||
| ListTags | Grants permission to retrieve a list of tags for an AWS Lambda function, event source mapping, capacity provider, or code signing configuration resource | Read | |||
| ListVersionsByFunction | Grants permission to retrieve a list of versions for an AWS Lambda function | List | |||
| PassCapacityProvider [permission only] | Grants permission to pass an AWS Lambda capacity provider to a service | Write | |||
| PublishLayerVersion | Grants permission to create an AWS Lambda layer | Write | |||
| PublishVersion | Grants permission to create an AWS Lambda function version | Write | |||
| PutFunctionCodeSigningConfig | Grants permission to attach a code signing config to an AWS Lambda function | Write | |||
| PutFunctionConcurrency | Grants permission to configure reserved concurrency for an AWS Lambda function | Write | |||
| PutFunctionEventInvokeConfig | Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias | Write | |||
| PutFunctionRecursionConfig | Grants permission to update the recursion configuration of an AWS Lambda function | Write | |||
| PutFunctionScalingConfig | Grants permission to update the scaling configuration of an AWS Lambda function running on a capacity provider | Write | |||
| PutProvisionedConcurrencyConfig | Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version | Write | |||
| PutRuntimeManagementConfig | Grants permission to update the runtime management configuration of an AWS Lambda function | Write | |||
| RemoveLayerVersionPermission | Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer | Permissions management | |||
| RemovePermission | Grants permission to revoke function-use permission from an AWS service or another account | Permissions management | |||
| SendDurableExecutionCallbackFailure | Grants permission to send a failure response for a callback operation in an AWS Lambda durable execution | Write | |||
| SendDurableExecutionCallbackHeartbeat | Grants permission to send a heartbeat for a callback operation in an AWS Lambda durable execution | Write | |||
| SendDurableExecutionCallbackSuccess | Grants permission to send a successful response for a callback operation in an AWS Lambda durable execution | Write | |||
| StopDurableExecution | Grants permission to stop an AWS Lambda durable execution | Write | |||
| TagResource | Grants permission to add tags to an AWS Lambda function, event source mapping, capacity provider, or code signing configuration resource | Tagging | |||
| UntagResource | Grants permission to remove tags from an AWS Lambda function, event source mapping, capacity provider, or code signing configuration resource | Tagging | |||
| UpdateAlias | Grants permission to update the configuration of an AWS Lambda function's alias | Write | |||
| UpdateCapacityProvider | Grants permission to update an AWS Lambda capacity provider | Write | |||
| UpdateCodeSigningConfig | Grants permission to update an AWS Lambda code signing config | Write | |||
| UpdateEventSourceMapping | Grants permission to update the configuration of an AWS Lambda event source mapping | Write | |||
| UpdateFunctionCode | Grants permission to update the code of an AWS Lambda function | Write | |||
| UpdateFunctionCodeSigningConfig | Grants permission to update the code signing config of an AWS Lambda function | Write | |||
| UpdateFunctionConfiguration | Grants permission to modify the version-specific settings of an AWS Lambda function | Write | |||
| UpdateFunctionEventInvokeConfig | Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias | Write | |||
| UpdateFunctionUrlConfig | Grants permission to update a function url configuration for a Lambda function | Write | |||
Resource types defined by AWS Lambda
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| capacityProvider |
arn:${Partition}:lambda:${Region}:${Account}:capacity-provider:${CapacityProviderName}
|
|
| code signing config |
arn:${Partition}:lambda:${Region}:${Account}:code-signing-config:${CodeSigningConfigId}
|
|
| durable execution |
arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}/durable-execution/${ExecutionName}/${ExecutionId}
|
|
| eventSourceMapping |
arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}
|
|
| function |
arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}
|
|
| function alias |
arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}
|
|
| function version |
arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}
|
|
| layer |
arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}
|
|
| layerVersion |
arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}
|
Condition keys for AWS Lambda
AWS Lambda defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see AWS global condition context keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
| lambda:CodeSigningConfigArn | Filters access by the ARN of an AWS Lambda code signing config | ARN |
| lambda:EventSourceToken | Filters access by the ID from a non-AWS event source configured for the AWS Lambda function | String |
| lambda:FunctionArn | Filters access by the ARN of an AWS Lambda function | ARN |
| lambda:FunctionUrlAuthType | Filters access by authorization type specified in request. Available during CreateFunctionUrlConfig, UpdateFunctionUrlConfig, DeleteFunctionUrlConfig, GetFunctionUrlConfig, ListFunctionUrlConfig, AddPermission and RemovePermission operations | String |
| lambda:InvokedViaFunctionUrl | Limits the scope of lambda:InvokeFunction action to Function URLs only. Available during AddPermission operation | Bool |
| lambda:Layer | Filters access by the ARN of a version of an AWS Lambda layer | ArrayOfString |
| lambda:Principal | Filters access by restricting the AWS service or account that can invoke a function | String |
| lambda:SecurityGroupIds | Filters access by the ID of security groups configured for the AWS Lambda function | ArrayOfString |
| lambda:SourceFunctionArn | Filters access by the ARN of the AWS Lambda function from which the request originated | ARN |
| lambda:SubnetIds | Filters access by the ID of subnets configured for the AWS Lambda function | ArrayOfString |
| lambda:VpcIds | Filters access by the ID of the VPC configured for the AWS Lambda function | String |
