Creating the Lambda Function IAM Role
In our last article, we looked at how to set up scheduled events using either the API (python and boto3) or CloudFormation, including the required Trusted Entity Policy Document and IAM Role. This role and policy can be created manually using the AWS web console (not recommended), scripted using the IAM API (e.g. Python and boto3), or using a templating tool (e.g. CloudFormation. Hashicorp’s Terraform). For this exercise we will cover both the scripted and the template tool approaches.
The IAM policy rights required for creating the Lambda function role and policy are:
Creating the Lambda IAM role via the IAM API using Python and boto3
Note: For the following example you must either have your AWS credentials defined in a supported location (e.g. ENV variables, ~/.boto, ~/.aws/configuration, EC2 meta-data) or you must specify credentials when creating your boto3 client (or alternatively ‘session’). The User/Role associated with the AWS credentials must also have the necessary rights, defined by policy, to perform the required operations against AWS IAM API.
The following python script will produce our desired IAM role and policy:
That will create the necessary lambda function role and its inline policy.
Creating the Lambda IAM role using AWS CloudFormation Template
The following block of JSON can be added to a CloudFormation template’s “Resource” section to create the Lambda function role and its inline policy:
Visit us next week for the final segment of this blog series – Registering the Lambda Function.
-Ryan Kennedy, Sr Cloud Consultant