Class CfnPermission
A CloudFormation AWS::Lambda::Permission
.
Inherited Members
Namespace: Amazon.CDK.AWS.Lambda
Assembly: Amazon.CDK.AWS.Lambda.dll
Syntax (csharp)
public class CfnPermission : CfnResource, IConstruct, IDependable, IInspectable
Syntax (vb)
Public Class CfnPermission
Inherits CfnResource
Implements IConstruct, IDependable, IInspectable
Remarks
The AWS::Lambda::Permission
resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.
To grant permission to another account, specify the account ID as the Principal
. To grant permission to an organization defined in AWS Organizations , specify the organization ID as the PrincipalOrgID
. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com
or sns.amazonaws.com
. For AWS services, you can also specify the ARN of the associated resource as the SourceArn
. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
If your function has a function URL, you can specify the FunctionUrlAuthType
parameter. This adds a condition to your permission that only applies when your function URL's AuthType
matches the specified FunctionUrlAuthType
. For more information about the AuthType
parameter, see Security and auth model for Lambda function URLs .
This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies .
CloudformationResource: AWS::Lambda::Permission
Link: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.AWS.Lambda;
var cfnPermission = new CfnPermission(this, "MyCfnPermission", new CfnPermissionProps {
Action = "action",
FunctionName = "functionName",
Principal = "principal",
// the properties below are optional
EventSourceToken = "eventSourceToken",
FunctionUrlAuthType = "functionUrlAuthType",
PrincipalOrgId = "principalOrgId",
SourceAccount = "sourceAccount",
SourceArn = "sourceArn"
});
Synopsis
Constructors
CfnPermission(Construct, String, ICfnPermissionProps) | Create a new |
CfnPermission(ByRefValue) | Used by jsii to construct an instance of this class from a Javascript-owned object reference |
CfnPermission(DeputyBase.DeputyProps) | Used by jsii to construct an instance of this class from DeputyProps |
Properties
Action | The action that the principal can use on the function. |
CFN_RESOURCE_TYPE_NAME | The CloudFormation resource type name for this resource class. |
CfnProperties | |
EventSourceToken | For Alexa Smart Home functions, a token that the invoker must supply. |
FunctionName | The name of the Lambda function, version, or alias. |
FunctionUrlAuthType | The type of authentication that your function URL uses. |
Principal | The AWS service or AWS account that invokes the function. |
PrincipalOrgId | The identifier for your organization in AWS Organizations . |
SourceAccount | For AWS service , the ID of the AWS account that owns the resource. |
SourceArn | For AWS services , the ARN of the AWS resource that invokes the function. |
Methods
Inspect(TreeInspector) | Examines the CloudFormation resource and discloses attributes. |
RenderProperties(IDictionary<String, Object>) |
Constructors
CfnPermission(Construct, String, ICfnPermissionProps)
Create a new AWS::Lambda::Permission
.
public CfnPermission(Construct scope, string id, ICfnPermissionProps props)
Parameters
- scope Construct
- scope in which this resource is defined.
- id System.String
- scoped id of the resource.
- props ICfnPermissionProps
- resource properties.
CfnPermission(ByRefValue)
Used by jsii to construct an instance of this class from a Javascript-owned object reference
protected CfnPermission(ByRefValue reference)
Parameters
- reference Amazon.JSII.Runtime.Deputy.ByRefValue
The Javascript-owned object reference
CfnPermission(DeputyBase.DeputyProps)
Used by jsii to construct an instance of this class from DeputyProps
protected CfnPermission(DeputyBase.DeputyProps props)
Parameters
- props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps
The deputy props
Properties
Action
The action that the principal can use on the function.
public virtual string Action { get; set; }
Property Value
System.String
Remarks
For example, lambda:InvokeFunction
or lambda:GetFunction
.
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
public static string CFN_RESOURCE_TYPE_NAME { get; }
Property Value
System.String
CfnProperties
protected override IDictionary<string, object> CfnProperties { get; }
Property Value
System.Collections.Generic.IDictionary<System.String, System.Object>
Overrides
EventSourceToken
For Alexa Smart Home functions, a token that the invoker must supply.
public virtual string EventSourceToken { get; set; }
Property Value
System.String
Remarks
FunctionName
The name of the Lambda function, version, or alias.
public virtual string FunctionName { get; set; }
Property Value
System.String
Remarks
Name formats - Function name – my-function
(name-only), my-function:v1
(with alias).
You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.
FunctionUrlAuthType
The type of authentication that your function URL uses.
public virtual string FunctionUrlAuthType { get; set; }
Property Value
System.String
Remarks
Set to AWS_IAM
if you want to restrict access to authenticated users only. Set to NONE
if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs .
Principal
The AWS service or AWS account that invokes the function.
public virtual string Principal { get; set; }
Property Value
System.String
Remarks
If you specify a service, use SourceArn
or SourceAccount
to limit who can invoke the function through that service.
PrincipalOrgId
The identifier for your organization in AWS Organizations .
public virtual string PrincipalOrgId { get; set; }
Property Value
System.String
Remarks
Use this to grant permissions to all the AWS accounts under this organization.
SourceAccount
For AWS service , the ID of the AWS account that owns the resource.
public virtual string SourceAccount { get; set; }
Property Value
System.String
Remarks
Use this together with SourceArn
to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
SourceArn
For AWS services , the ARN of the AWS resource that invokes the function.
public virtual string SourceArn { get; set; }
Property Value
System.String
Remarks
For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the StringLike
operator.
Methods
Inspect(TreeInspector)
Examines the CloudFormation resource and discloses attributes.
public virtual void Inspect(TreeInspector inspector)
Parameters
- inspector TreeInspector
- tree inspector to collect and process attributes.
RenderProperties(IDictionary<String, Object>)
protected override IDictionary<string, object> RenderProperties(IDictionary<string, object> props)
Parameters
- props System.Collections.Generic.IDictionary<System.String, System.Object>
Returns
System.Collections.Generic.IDictionary<System.String, System.Object>