Package software.amazon.awscdk.services.lambda

Class CfnPermission

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.core.Construct
software.amazon.awscdk.core.CfnElement
software.amazon.awscdk.core.CfnRefElement
software.amazon.awscdk.core.CfnResource
software.amazon.awscdk.services.lambda.CfnPermission
All Implemented Interfaces:
IConstruct, IDependable, IInspectable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct
@Generated(value="jsii-pacmak/1.84.0 (build 5404dcf)", date="2023-06-19T16:30:40.672Z") @Stability(Stable) public class CfnPermission extends CfnResource implements IInspectable
A CloudFormation AWS::Lambda::Permission.

The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.

To grant permission to another account, specify the account ID as the Principal . To grant permission to an organization defined in AWS Organizations , specify the organization ID as the PrincipalOrgID . For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com . For AWS services, you can also specify the ARN of the associated resource as the SourceArn . If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.

If your function has a function URL, you can specify the FunctionUrlAuthType parameter. This adds a condition to your permission that only applies when your function URL's AuthType matches the specified FunctionUrlAuthType . For more information about the AuthType parameter, see Security and auth model for Lambda function URLs .

This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies .

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.lambda.*;
 CfnPermission cfnPermission = CfnPermission.Builder.create(this, "MyCfnPermission")
         .action("action")
         .functionName("functionName")
         .principal("principal")
         // the properties below are optional
         .eventSourceToken("eventSourceToken")
         .functionUrlAuthType("functionUrlAuthType")
         .principalOrgId("principalOrgId")
         .sourceAccount("sourceAccount")
         .sourceArn("sourceArn")
         .build();

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnPermission

      @Stability(Stable) public CfnPermission(@NotNull Construct scope, @NotNull String id, @NotNull CfnPermissionProps props)
      Create a new AWS::Lambda::Permission.

      Parameters:
      scope -
      • scope in which this resource is defined.
      This parameter is required.
      id -
      • scoped id of the resource.
      This parameter is required.
      props -
      • resource properties.
      This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector -
      • tree inspector to collect and process attributes.
      This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getAction

      @Stability(Stable) @NotNull public String getAction()
      The action that the principal can use on the function.

      For example, lambda:InvokeFunction or lambda:GetFunction .

    • setAction

      @Stability(Stable) public void setAction(@NotNull String value)
      The action that the principal can use on the function.

      For example, lambda:InvokeFunction or lambda:GetFunction .

    • getFunctionName

      @Stability(Stable) @NotNull public String getFunctionName()
      The name of the Lambda function, version, or alias.

      Name formats - Function namemy-function (name-only), my-function:v1 (with alias).

      • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function .
      • Partial ARN123456789012:function:my-function .

      You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    • setFunctionName

      @Stability(Stable) public void setFunctionName(@NotNull String value)
      The name of the Lambda function, version, or alias.

      Name formats - Function namemy-function (name-only), my-function:v1 (with alias).

      • Function ARNarn:aws:lambda:us-west-2:123456789012:function:my-function .
      • Partial ARN123456789012:function:my-function .

      You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

    • getPrincipal

      @Stability(Stable) @NotNull public String getPrincipal()
      The AWS service or AWS account that invokes the function.

      If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.

    • setPrincipal

      @Stability(Stable) public void setPrincipal(@NotNull String value)
      The AWS service or AWS account that invokes the function.

      If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.

    • getEventSourceToken

      @Stability(Stable) @Nullable public String getEventSourceToken()
      For Alexa Smart Home functions, a token that the invoker must supply.

    • setEventSourceToken

      @Stability(Stable) public void setEventSourceToken(@Nullable String value)
      For Alexa Smart Home functions, a token that the invoker must supply.

    • getFunctionUrlAuthType

      @Stability(Stable) @Nullable public String getFunctionUrlAuthType()
      The type of authentication that your function URL uses.

      Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs .

    • setFunctionUrlAuthType

      @Stability(Stable) public void setFunctionUrlAuthType(@Nullable String value)
      The type of authentication that your function URL uses.

      Set to AWS_IAM if you want to restrict access to authenticated users only. Set to NONE if you want to bypass IAM authentication to create a public endpoint. For more information, see Security and auth model for Lambda function URLs .

    • getPrincipalOrgId

      @Stability(Stable) @Nullable public String getPrincipalOrgId()
      The identifier for your organization in AWS Organizations .

      Use this to grant permissions to all the AWS accounts under this organization.

    • setPrincipalOrgId

      @Stability(Stable) public void setPrincipalOrgId(@Nullable String value)
      The identifier for your organization in AWS Organizations .

      Use this to grant permissions to all the AWS accounts under this organization.

    • getSourceAccount

      @Stability(Stable) @Nullable public String getSourceAccount()
      For AWS service , the ID of the AWS account that owns the resource.

      Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.

    • setSourceAccount

      @Stability(Stable) public void setSourceAccount(@Nullable String value)
      For AWS service , the ID of the AWS account that owns the resource.

      Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.

    • getSourceArn

      @Stability(Stable) @Nullable public String getSourceArn()
      For AWS services , the ARN of the AWS resource that invokes the function.

      For example, an Amazon S3 bucket or Amazon SNS topic.

      Note that Lambda configures the comparison using the StringLike operator.

    • setSourceArn

      @Stability(Stable) public void setSourceArn(@Nullable String value)
      For AWS services , the ARN of the AWS resource that invokes the function.

      For example, an Amazon S3 bucket or Amazon SNS topic.

      Note that Lambda configures the comparison using the StringLike operator.