DEV Community

DeveloperSteve for Lumigo

Posted on

Getting set up to use ABAC for Lambda Functions

First, we need to set up a policy that has the right permissions to create Lambda functions using team-specific tagging. For this we are going to use team Alpha and team Beta.

{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":[
         "lambda:CreateFunction",
         "lambda:TagResource"
      ],
      "Resource":"arn:aws:lambda:*:*:function:*",
      "Condition":{
         "StringEquals":{
            "aws:RequestTag/Team":[
               "Alpha",
               "Beta"
            ]
         },
         "ForAllValues:StringEquals":{
            "aws:TagKeys":"Team"
         }
      }
   }
}
Enter fullscreen mode Exit fullscreen mode

Next we create another policy to only allow Lambda API actions providing the resource tag is set to team Alpha.

{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":[
         "lambda:InvokeFunction"
      ],
      "Resource":"arn:aws:lambda:*:*:function:*",
      "Condition":{
         "StringEquals":{
            "aws:ResourceTag/Team":"Alpha"
         }
      }
   }
}
Enter fullscreen mode Exit fullscreen mode

Then we need one more policy that gives permissions to iam:PassRole and iam:ListRoles.

It’s important to note that iam:PassRole does not support tag-based authentication, so the role will need permissions to ListRoles in order to create a function with existing execution using the AWS Console. It’s also important to note here that the Resource needs to be updated with a role-specific ARN from the setup process.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"VisualEditor0",
         "Effect":"Allow",
         "Action":[
            "iam:ListRoles",
            "iam:PassRole"
         ],
         "Resource":[
            "Role specific ARN"
         ]
      }
   ]
}
Enter fullscreen mode Exit fullscreen mode

Now, we need to create an IAM role, attach all 3 of these policies, and then tag the role with “Team: Alpha”. Finally, we can create a user and assign them the newly created role.

To read more on using ABAC for Lambda, Check out Building for Scale and Traceability Using ABAC for Lambda Functions

Top comments (0)