{"id":71950,"date":"2019-05-24T15:16:05","date_gmt":"2019-05-24T15:16:05","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=71950"},"modified":"2020-08-31T17:52:05","modified_gmt":"2020-08-31T17:52:05","slug":"iam-roles-for-aws-lambda-function","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/iam-roles-for-aws-lambda-function\/","title":{"rendered":"Understanding IAM Roles for AWS Lambda Function"},"content":{"rendered":"

The AWS Lambda service is the serverless compute service on the cloud. Now if the AWS Lambda function needs to access other resources then the IAM Role that is attached to the Lambda function needs to have the required access. <\/span>This article discusses IAM Roles for AWS Lambda Function that is an important topic under the domain Identity and Access Management (IAM). This topic will help those who are preparing for the AWS Certified Solutions Architect Professional Exam<\/a> or AWS Certified Security Specialty Exam<\/a>.<\/span><\/p>\n

A common type of question that comes up in the AWS certification exam is the permissions that can be assigned to an AWS Lambda function.<\/span><\/p>\n

\"AWS<\/a><\/p>\n

IAM Roles for AWS Lambda Function<\/h2>\n

Let’s understand IAM roles for AWS Lambda function through an example:<\/p>\n

In this example, we will make AWS Lambda run an AWS Athena query against a CSV file in S3. And we will see what is required from an IAM Role perspective.<\/span><\/p>\n

Step 1) So first, we have an S3 bucket defined as shown below<\/span><\/p>\n

\"IAM<\/p>\n

The S3 bucket has a data file called data.csv which is a simple data file which contains the name of AWS certification exams.<\/span><\/p>\n

Step 2) Now we go onto AWS Athena. Here we have a database called demodb. We execute the following query to create a table.<\/span><\/p>\n

Here we execute the following query:<\/span><\/p>\n

CREATE EXTERNAL TABLE IF NOT EXISTS exams (<\/span>\r\n\r\n \u00a0ID INT,<\/span>\r\n\r\n \u00a0name STRING<\/span>\r\n\r\n \u00a0\u00a0\u00a0) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.OpenCSVSerde' <\/span>\r\n\r\nWITH SERDEPROPERTIES (\"separatorChar\" = \",\") <\/span>\r\n\r\nLOCATION 's3:\/\/athena2020\/'<\/span><\/pre>\n
\"IAM<\/p>\n
Once you run the query, you will get the table created in AWS Athena<\/span><\/p>\n
\"IAM<\/p>\n
Step 3) Now let\u2019s run a select query in AWS Athena just to check if we are able to fetch the data.<\/span><\/p>\n
\"IAM<\/p>\n
So, you will see the result data. This is the result data that is stored in the .csv file in S3.<\/span><\/p>\n
Step 4) Now create an AWS Lambda function. This will have python as the underlying runtime.<\/span><\/p>\n
\"IAM<\/p>\n
Following is the code snippet<\/span><\/p>\n
import json<\/span>\r\n\r\nimport time<\/span>\r\n\r\nimport boto3<\/span>\r\n\r\n\r\n\r\n\r\ndef lambda_handler(event, context):<\/span>\r\n\r\n \u00a0\u00a0\u00a0# TODO implement<\/span>\r\n\r\n \u00a0\u00a0\u00a0client = boto3.client('athena')<\/span>\r\n\r\n \u00a0\u00a0\u00a0query='select * from exams;'<\/span>\r\n\r\n \u00a0\u00a0\u00a0S3_OUTPUT='s3:\/\/athena2020\/output'<\/span>\r\n\r\n \u00a0\u00a0\u00a0# Execution<\/span>\r\n\r\n \u00a0\u00a0\u00a0response = client.start_query_execution(<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0QueryString=query,<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0QueryExecutionContext={<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'Database': 'demodb'<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ResultConfiguration={<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'OutputLocation': S3_OUTPUT,<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n\r\n \u00a0\u00a0\u00a0)<\/span>\r\n\r\n \u00a0\u00a0\u00a0time.sleep(5)<\/span>\r\n\r\n \u00a0\u00a0\u00a0query_execution_id = response['QueryExecutionId']<\/span>\r\n\r\n \u00a0\u00a0\u00a0print(query_execution_id)<\/span>\r\n\r\n \u00a0\u00a0\u00a0result = client.get_query_results(QueryExecutionId=query_execution_id)<\/span>\r\n\r\n \u00a0\u00a0\u00a0print(result)<\/span>\r\n\r\n \u00a0\u00a0\u00a0return {<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'statusCode': 200,<\/span>\r\n\r\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0'body': json.dumps('Results from Lambda!')<\/span>\r\n\r\n \u00a0\u00a0\u00a0}<\/span><\/pre>\n
The code snippet is quite self-explanatory. We are using the python boto3 SDK to work with Athena queries. We then transfer the output results to the S3 folder location ‘s3:\/\/athena2020\/output’. This is important to note.<\/span><\/p>\n
Now if you drill further down, you will see the IAM Role attached to the Lambda function<\/span><\/p>\n
\"IAM<\/p>\n
So, it\u2019s a service role called athenarole.<\/span><\/p>\n
If we go to the Role definition in Security credentials, you can see that the role has a basic execution policy<\/span><\/p>\n
\"IAM<\/p>\n
Step 5) Let\u2019s run our AWS Lambda function<\/span><\/p>\n
\"IAM<\/p>\n
So, when we Test our AWS Lambda function, we are getting an <\/span>Access Denied<\/span><\/i> error. This is because we need to give permission to our AWS Lambda function to access the Athena service. Since the lambda function is making a call to AWS Athena, we need to add this permission to the role.<\/span><\/p>\n
Step 6) So let\u2019s go back to the IAM Role definition and click on Attach policies<\/span><\/p>\n
\"IAM<\/p>\n
For the purpose of this demo, let\u2019s just add a policy for full access to AWS Athena<\/span><\/p>\n
So in the next screen, find and choose<\/span> AmazonAthenaFullAccess <\/span><\/i>and choose Attach policy<\/span><\/p>\n
\"IAM<\/p>\n
Step 7) Now let\u2019s run our Lambda function again<\/span><\/p>\n
\"IAM<\/p>\n
We are still getting the same error. Why is that?<\/span><\/p>\n
Remember that the function also sends the output data to S3, hence we need to also ensure that the IAM role also has access to S3<\/span><\/p>\n
 Step 8) So let\u2019s go back to the IAM Role definition and click on Attach policies<\/span><\/p>\n
\"IAM<\/p>\n
For the purpose of this demo, let\u2019s just add a policy for full access to AWS S3<\/span><\/p>\n
So in the next screen, find and choose <\/span>AmazonS3FullAccess<\/span><\/i> and choose Attach policy<\/span><\/p>\n
Now let\u2019s run our AWS Lambda function<\/span><\/p>\n
\"IAM<\/p>\n
You will now get a successful execution of the Lambda function<\/span><\/p>\n
\"IAM<\/p>\n
Summary<\/h3>\n