First, we need to set up a policy that has the right permissions to create Lambda functions using team-specific tagging. For this we are going to use team Alpha and team Beta.
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":[
"lambda:CreateFunction",
"lambda:TagResource"
],
"Resource":"arn:aws:lambda:*:*:function:*",
"Condition":{
"StringEquals":{
"aws:RequestTag/Team":[
"Alpha",
"Beta"
]
},
"ForAllValues:StringEquals":{
"aws:TagKeys":"Team"
}
}
}
}
Next we create another policy to only allow Lambda API actions providing the resource tag is set to team Alpha.
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":[
"lambda:InvokeFunction"
],
"Resource":"arn:aws:lambda:*:*:function:*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/Team":"Alpha"
}
}
}
}
Then we need one more policy that gives permissions to iam:PassRole and iam:ListRoles.
It’s important to note that iam:PassRole does not support tag-based authentication, so the role will need permissions to ListRoles in order to create a function with existing execution using the AWS Console. It’s also important to note here that the Resource needs to be updated with a role-specific ARN from the setup process.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"iam:ListRoles",
"iam:PassRole"
],
"Resource":[
"Role specific ARN"
]
}
]
}
Now, we need to create an IAM role, attach all 3 of these policies, and then tag the role with “Team: Alpha”. Finally, we can create a user and assign them the newly created role.
To read more on using ABAC for Lambda, Check out Building for Scale and Traceability Using ABAC for Lambda Functions
Top comments (0)