Specifying a custom role for lambda with the AWS CDK

Ivan Kluzak picture Ivan Kluzak · Oct 4, 2018 · Viewed 12.8k times · Source

I realize it's pretty new but I don't see any examples in any language how you would specify a role for the lambda created with the AWS CDK.

I was attempting to do this

const cdk       = require('@aws-cdk/cdk');
const lambda    = require('@aws-cdk/aws-lambda');
const iam       = require('@aws-cdk/aws-iam');

const path      = require('path');

class MyStack extends cdk.Stack {
    constructor (parent, id, props) {
            super(parent, id, props);

            //
            // Create a lambda...
            const fn = new lambda.Function(this, 'MyFunction-cdktest', {
                runtime: lambda.Runtime.NodeJS810,
                handler: 'index.handler',
                code: lambda.Code.directory( path.join( __dirname, 'lambda')),
                role: iam.RoleName('lambda_basic_execution')
            });

    }
}

class MyApp extends cdk.App {
        constructor (argv) {
                super(argv);

                new MyStack(this, 'hello-cdk');
        }
}

console.log(new MyApp(process.argv).run());

in order to try and specify an existing IAM role for the function but that doesn't seem to be correct syntax. I also would be ok with ( or maybe even prefer ) to generate the custom role on the fly specific to this lambda but I didn't see any examples on how to do that either.

Does anyone have any insight on how to accomplish this?

Answer

rix0rrr picture rix0rrr · Oct 4, 2018

A Lambda already comes with an execution role, and it already has the basic execution permissions. If you want to add additional permissions to the role it has, do something like the following:

lambda.addToRolePolicy(new cdk.PolicyStatement()
   .addResource('arn:aws:....')
   .addAction('s3:GetThing'));

Or better yet, use one of the convenience functions for permissions on some resources:

bucket.grantRead(lambda.role);