Granting function access to an organization
To grant permissions to an organization in AWS Organizations, specify the organization ID as the principal-org-id
.
The following add-permissiono-a1b2c3d4e5f
.
aws lambda add-permission \ --function-name example \ --statement-id PrincipalOrgIDExample \ --action lambda:InvokeFunction \ --principal * \ --principal-org-id o-a1b2c3d4e5f
Note
In this command, Principal
is *
. This means that all users in the organization
o-a1b2c3d4e5f
get function invocation permissions. If you specify an AWS account or role as the
Principal
, then only that principal gets function invocation permissions, but only if they are
also part of the o-a1b2c3d4e5f
organization.
This command creates a resource-based policy that looks like the following:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrincipalOrgIDExample", "Effect": "Allow", "Principal": "*", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-2:123456789012:function:example",
"Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-a1b2c3d4e5f" } }
} ] }
For more information, see aws:PrincipalOrgID in the IAM user guide.