Class Permission
Represents a permission statement that can be added to a Lambda function's resource policy via the addPermission()
method.
Inheritance
Implements
Namespace: Amazon.CDK.AWS.Lambda
Assembly: Amazon.CDK.AWS.Lambda.dll
Syntax (csharp)
public class Permission : Object, IPermission
Syntax (vb)
Public Class Permission
Inherits Object
Implements IPermission
Remarks
ExampleMetadata: infused
Examples
Function fn;
var principal = new ServicePrincipal("my-service");
fn.GrantInvoke(principal);
// Equivalent to:
fn.AddPermission("my-service Invocation", new Permission {
Principal = principal
});
Synopsis
Constructors
Permission() |
Properties
Action | The Lambda actions that you want to allow in this statement. |
EventSourceToken | A unique token that must be supplied by the principal invoking the function. |
FunctionUrlAuthType | The authType for the function URL that you are granting permissions for. |
Principal | The entity for which you are granting permission to invoke the Lambda function. |
Scope | The scope to which the permission constructs be attached. |
SourceAccount | The AWS account ID (without hyphens) of the source owner. |
SourceArn | The ARN of a resource that is invoking your function. |
Constructors
Permission()
public Permission()
Properties
Action
The Lambda actions that you want to allow in this statement.
public string Action { get; set; }
Property Value
System.String
Remarks
For example,
you can specify lambda:CreateFunction to specify a certain action, or use
a wildcard (lambda:*
) to grant permission to all Lambda actions. For a
list of actions, see Actions and Condition Context Keys for AWS Lambda in
the IAM User Guide.
Default: 'lambda:InvokeFunction'
EventSourceToken
A unique token that must be supplied by the principal invoking the function.
public string EventSourceToken { get; set; }
Property Value
System.String
Remarks
Default: The caller would not need to present a token.
FunctionUrlAuthType
The authType for the function URL that you are granting permissions for.
public Nullable<FunctionUrlAuthType> FunctionUrlAuthType { get; set; }
Property Value
System.Nullable<FunctionUrlAuthType>
Remarks
Default: - No functionUrlAuthType
Principal
The entity for which you are granting permission to invoke the Lambda function.
public IPrincipal Principal { get; set; }
Property Value
Remarks
This entity can be any valid AWS service principal, such as s3.amazonaws.com or sns.amazonaws.com, or, if you are granting cross-account permission, an AWS account ID. For example, you might want to allow a custom application in another AWS account to push events to Lambda by invoking your function.
The principal can be either an AccountPrincipal or a ServicePrincipal.
Scope
The scope to which the permission constructs be attached.
public Construct Scope { get; set; }
Property Value
Remarks
The default is the Lambda function construct itself, but this would need to be different in cases such as cross-stack references where the Permissions would need to sit closer to the consumer of this permission (i.e., the caller).
Default: - The instance of lambda.IFunction
SourceAccount
The AWS account ID (without hyphens) of the source owner.
public string SourceAccount { get; set; }
Property Value
System.String
Remarks
For example, if you specify an S3 bucket in the SourceArn property, this value is the bucket owner's account ID. You can use this property to ensure that all source principals are owned by a specific account.
SourceArn
The ARN of a resource that is invoking your function.
public string SourceArn { get; set; }
Property Value
System.String
Remarks
When granting Amazon Simple Storage Service (Amazon S3) permission to invoke your function, specify this property with the bucket ARN as its value. This ensures that events generated only from the specified bucket, not just any bucket from any AWS account that creates a mapping to your function, can invoke the function.