Permissions for @turbot/aws-lambda
Taking a look at permissions and associated grant levels for each permission for Lambda:
Permission | Grant Level | Help |
---|---|---|
iam:ListRoles | Metadata | |
iam:PassRole | Admin | To create a Lambda function the user must have permission to pass the role to it. |
lambda:AddLayerVersionPermission | Admin | AddLayerVersionPermission is for resources utilizing the push model. This will be common and should be at Operator level. But it allows cross-account pushing to Lambda so needs associated guardrails. |
lambda:AddPermission | Admin | AddPermission is for resources utilizing the push model. This will be common and should be at Operator level. But it allows cross-account pushing to Lambda so needs associated guardrails. |
lambda:CreateAlias | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:CreateCodeSigningConfig | Admin | |
lambda:CreateEventSourceMapping | Operator | Operators can manage the triggers & use of functions. |
lambda:CreateFunction | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:DeleteAlias | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:DeleteCodeSigningConfig | Admin | |
lambda:DeleteEventSourceMapping | Operator | Operators can manage the triggers & use of functions. |
lambda:DeleteFunction | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:DeleteFunction | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:DeleteFunctionCodeSigningConfig | Admin | |
lambda:DeleteFunctionConcurrency | Admin | Admin can manage concurrent execution limit. |
lambda:DeleteFunctionEventInvokeConfig | Admin | |
lambda:DeleteLayerVersion | Admin | |
lambda:DeleteProvisionedConcurrencyConfig | Admin | |
lambda:DisableReplication | Admin | |
lambda:EnableReplication | Admin | Admins can Add a permission to resource policy that gives Lambda replication service permission to get function code and configuration. |
lambda:GetAccountSettings | Metadata | |
lambda:GetAlias | Metadata | |
lambda:GetCodeSigningConfig | Metadata | |
lambda:GetFunctionCodeSigningConfig | Metadata | |
lambda:GetEventSourceMapping | Metadata | |
lambda:GetFunctionCodeSigningConfig | Metadata | |
lambda:GetFunction | ReadOnly | Lambda function code is considered data and requires privileges to view. |
lambda:GetFunctionConcurrency | Metadata | |
lambda:GetFunctionConfiguration | Metadata | |
lambda:GetFunctionEventInvokeConfig | Metadata | |
lambda:GetLayerVersion | ReadOnly | |
lambda:GetLayerVersionByArn | Metadata | |
lambda:GetLayerVersionPolicy | Metadata | |
lambda:GetPolicy | Metadata | |
lambda:GetProvisionedConcurrencyConfig | Metadata | |
lambda:InvokeAsync | Operator | NOTE - Deprecated use Invoke instead. |
lambda:InvokeFunction | Operator | Operators can invoke/run functions. |
lambda:ListAliases | Metadata | |
lambda:ListCodeSigningConfigs | Metadata | |
lambda:ListEventSourceMappings | Metadata | |
lambda:ListFunctionsByCodeSigningConfig | Metadata | |
lambda:ListFunctionEventInvokeConfigs | Metadata | |
lambda:ListFunctions | Metadata | Does not include function code only the configuration information. |
lambda:ListLayerVersions | Metadata | |
lambda:ListLayers | Metadata | |
lambda:ListProvisionedConcurrencyConfigs | Metadata | |
lambda:ListTags | Metadata | |
lambda:ListVersionsByFunction | Metadata | |
lambda:PublishLayerVersion | Admin | Admins can create a function layer from a ZIP archive. Each time you call PublishLayerVersion with the same version name a new version is created. |
lambda:PublishVersion | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:PutFunctionConcurrency | Admin | Admin can manage concurrent execution limit. |
lambda:PutFunctionEventInvokeConfig | Admin | |
lambda:PutFunctionCodeSigningConfig | Admin | |
lambda:PutProvisionedConcurrencyConfig | Admin | |
lambda:RemoveLayerVersionPermission | Admin | |
lambda:RemovePermission | Operator | Allows removal of permissions from push resources. This can be safely granted to Operator since it doesn't allow extra permissions. |
lambda:TagResource | Operator | Operators can manage tags. |
lambda:UntagResource | Operator | Operators can manage tags. |
lambda:UpdateAlias | Operator | "Operators can deploy released versions. (But can't control releases or edit functions.)" |
lambda:UpdateCodeSigningConfig | Admin | |
lambda:UpdateEventSourceMapping | Operator | Operators can manage the triggers & use of functions. |
lambda:UpdateFunctionCode | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:UpdateFunctionCodeSigningConfig | Admin | |
lambda:UpdateFunctionConfiguration | Admin | Admin controls functions release of functions and aliases to functions. |
lambda:UpdateFunctionEventInvokeConfig | Admin | |
s3:GetObject | Operator |