问题
We have this requirement came out of pen testing. I have a lambda function say "add_address" and a role "account_management_role".
I want to make "account_management_role" assumable only by "add_address" lambda function. I do not want any other lambda function to assume this role.
I tried different things, I tried adding this entry in "Trust Relationship" of IAM role. This did not work.
Any one has any idea how to get this to work?
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "<ARN of lambda function>"
}
}
}
]
}
回答1:
Old one but recently ran into this problem. The answer is the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"lambda:FunctionArn": "arn:aws:lambda:eu-west-1:[account_id]:function:testaa"
}
}
}
]
}
回答2:
@nagalakshmi From the given link http://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html in first paragraph they clearly mention it is not supported.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateFunctionPermissions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction"
],
"Resource": "*"
},
{
"Sid": "PermissionToPassAnyRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::account-id:role/*"
}
]
}
From AWS documentation
The policy has two statements:
The first statement grants permissions for the AWS Lambda action (lambda:CreateFunction) on a resource by using the Amazon Resource Name (ARN) for the Lambda function. Currently, AWS Lambda doesn't support permissions for this particular action at the resource-level. Therefore, the policy specifies a wildcard character (*) as the Resource value.
The second statement grants permissions for the IAM action (iam:PassRole) on IAM roles. The wildcard character () at the end of the Resource value means that the statement allows permission for the iam:PassRole action on any IAM role. To limit this permission to a specific role, replace the wildcard character () in the resource ARN with the specific role name.
On the above statement from documentation they mentioned currently not supporting permissions at resource level.
So they might have in feature request.
回答3:
Looks like it is a bug. This is the response I got for ticket I created with AWS support team. Looks like only way to restrict who can assume the role is it restrict through changing user level access
Blockquote I went ahead and attempted the restrictions you are trying to achieve within a single Lambda function, but we were unable to get it to work properly; we conducted a series of tests to be sure of the outcome, and our tests failed because we were unable to specify a specific function as a condition for assuming a role. This is because the initial role assumption is performed by the Lambda service itself, without even looking for the function it seeks to invoke. I discovered this by adding the 'IfExists' modifier to 'StringLike: this tells IAM to check for this particular trait in the AssumeRole request, but if it is not present, disregard the condition and continue. The function would not work with a specific condition set, and even when the exact ARN was provided, it still failed. However, after adding IfExists, the function worked...but so did another, unrelated function that tried to utilize the role. This means that the Lambda function ARN is not being checked before the Lambda service is assuming a role. Blockquote At the point at which you invoke a function, you are implicitly trusting the AWS Lambda service to assume the role and execute the function exactly as described. As such, your trust relationship isn't what should be modified; rather, if you want to restrict the access a particular function has, you should restrict the IAM entity who is invoking it as the role is passed due to an entity having adequate iam:PassRole permissions to pass a particular role to the Lambda service, which Lambda then uses to invoke the function. The following document shows an example of how to restrict iam:PassRole to a particular role or set of roles only: http://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html
回答4:
Created Role X and attached to Function Lambda Function A. Then i create new Lambda function B with the same Role X. I got below error
"The Configuration tab failed to save. Reason: Your role is not ready, or cannot be assumed by Lambda. Please wait up to a minute and try again.".
Below is the Same Trust Relationship Policy. Kindly check your lambda ARN.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:us-east-1:xxxxxxxxx:function:lambdatest"
}
}
}
]
}
来源:https://stackoverflow.com/questions/45806907/how-to-make-a-role-assumable-by-given-lambda-function