1. Packages
  2. AWS
  3. API Docs
  4. lambda
  5. Permission
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

aws.lambda.Permission

Explore with Pulumi AI

aws logo
AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi

    Gives an external source (like an EventBridge Rule, SNS, or S3) permission to access the Lambda function.

    Example Usage

    Basic Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const iamForLambda = new aws.iam.Role("iam_for_lambda", {
        name: "iam_for_lambda",
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Action: "sts:AssumeRole",
                Effect: "Allow",
                Sid: "",
                Principal: {
                    Service: "lambda.amazonaws.com",
                },
            }],
        }),
    });
    const testLambda = new aws.lambda.Function("test_lambda", {
        code: new pulumi.asset.FileArchive("lambdatest.zip"),
        name: "lambda_function_name",
        role: iamForLambda.arn,
        handler: "exports.handler",
        runtime: aws.lambda.Runtime.NodeJS20dX,
    });
    const testAlias = new aws.lambda.Alias("test_alias", {
        name: "testalias",
        description: "a sample description",
        functionName: testLambda.name,
        functionVersion: "$LATEST",
    });
    const allowCloudwatch = new aws.lambda.Permission("allow_cloudwatch", {
        statementId: "AllowExecutionFromCloudWatch",
        action: "lambda:InvokeFunction",
        "function": testLambda.name,
        principal: "events.amazonaws.com",
        sourceArn: "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
        qualifier: testAlias.name,
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    iam_for_lambda = aws.iam.Role("iam_for_lambda",
        name="iam_for_lambda",
        assume_role_policy=json.dumps({
            "Version": "2012-10-17",
            "Statement": [{
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Sid": "",
                "Principal": {
                    "Service": "lambda.amazonaws.com",
                },
            }],
        }))
    test_lambda = aws.lambda_.Function("test_lambda",
        code=pulumi.FileArchive("lambdatest.zip"),
        name="lambda_function_name",
        role=iam_for_lambda.arn,
        handler="exports.handler",
        runtime=aws.lambda_.Runtime.NODE_JS20D_X)
    test_alias = aws.lambda_.Alias("test_alias",
        name="testalias",
        description="a sample description",
        function_name=test_lambda.name,
        function_version="$LATEST")
    allow_cloudwatch = aws.lambda_.Permission("allow_cloudwatch",
        statement_id="AllowExecutionFromCloudWatch",
        action="lambda:InvokeFunction",
        function=test_lambda.name,
        principal="events.amazonaws.com",
        source_arn="arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
        qualifier=test_alias.name)
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": "sts:AssumeRole",
    					"Effect": "Allow",
    					"Sid":    "",
    					"Principal": map[string]interface{}{
    						"Service": "lambda.amazonaws.com",
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		iamForLambda, err := iam.NewRole(ctx, "iam_for_lambda", &iam.RoleArgs{
    			Name:             pulumi.String("iam_for_lambda"),
    			AssumeRolePolicy: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		testLambda, err := lambda.NewFunction(ctx, "test_lambda", &lambda.FunctionArgs{
    			Code:    pulumi.NewFileArchive("lambdatest.zip"),
    			Name:    pulumi.String("lambda_function_name"),
    			Role:    iamForLambda.Arn,
    			Handler: pulumi.String("exports.handler"),
    			Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
    		})
    		if err != nil {
    			return err
    		}
    		testAlias, err := lambda.NewAlias(ctx, "test_alias", &lambda.AliasArgs{
    			Name:            pulumi.String("testalias"),
    			Description:     pulumi.String("a sample description"),
    			FunctionName:    testLambda.Name,
    			FunctionVersion: pulumi.String("$LATEST"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewPermission(ctx, "allow_cloudwatch", &lambda.PermissionArgs{
    			StatementId: pulumi.String("AllowExecutionFromCloudWatch"),
    			Action:      pulumi.String("lambda:InvokeFunction"),
    			Function:    testLambda.Name,
    			Principal:   pulumi.String("events.amazonaws.com"),
    			SourceArn:   pulumi.String("arn:aws:events:eu-west-1:111122223333:rule/RunDaily"),
    			Qualifier:   testAlias.Name,
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var iamForLambda = new Aws.Iam.Role("iam_for_lambda", new()
        {
            Name = "iam_for_lambda",
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "sts:AssumeRole",
                        ["Effect"] = "Allow",
                        ["Sid"] = "",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["Service"] = "lambda.amazonaws.com",
                        },
                    },
                },
            }),
        });
    
        var testLambda = new Aws.Lambda.Function("test_lambda", new()
        {
            Code = new FileArchive("lambdatest.zip"),
            Name = "lambda_function_name",
            Role = iamForLambda.Arn,
            Handler = "exports.handler",
            Runtime = Aws.Lambda.Runtime.NodeJS20dX,
        });
    
        var testAlias = new Aws.Lambda.Alias("test_alias", new()
        {
            Name = "testalias",
            Description = "a sample description",
            FunctionName = testLambda.Name,
            FunctionVersion = "$LATEST",
        });
    
        var allowCloudwatch = new Aws.Lambda.Permission("allow_cloudwatch", new()
        {
            StatementId = "AllowExecutionFromCloudWatch",
            Action = "lambda:InvokeFunction",
            Function = testLambda.Name,
            Principal = "events.amazonaws.com",
            SourceArn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily",
            Qualifier = testAlias.Name,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.lambda.Function;
    import com.pulumi.aws.lambda.FunctionArgs;
    import com.pulumi.aws.lambda.Alias;
    import com.pulumi.aws.lambda.AliasArgs;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import com.pulumi.asset.FileArchive;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var iamForLambda = new Role("iamForLambda", RoleArgs.builder()
                .name("iam_for_lambda")
                .assumeRolePolicy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Action", "sts:AssumeRole"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Sid", ""),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("Service", "lambda.amazonaws.com")
                            ))
                        )))
                    )))
                .build());
    
            var testLambda = new Function("testLambda", FunctionArgs.builder()
                .code(new FileArchive("lambdatest.zip"))
                .name("lambda_function_name")
                .role(iamForLambda.arn())
                .handler("exports.handler")
                .runtime("nodejs20.x")
                .build());
    
            var testAlias = new Alias("testAlias", AliasArgs.builder()
                .name("testalias")
                .description("a sample description")
                .functionName(testLambda.name())
                .functionVersion("$LATEST")
                .build());
    
            var allowCloudwatch = new Permission("allowCloudwatch", PermissionArgs.builder()
                .statementId("AllowExecutionFromCloudWatch")
                .action("lambda:InvokeFunction")
                .function(testLambda.name())
                .principal("events.amazonaws.com")
                .sourceArn("arn:aws:events:eu-west-1:111122223333:rule/RunDaily")
                .qualifier(testAlias.name())
                .build());
    
        }
    }
    
    resources:
      allowCloudwatch:
        type: aws:lambda:Permission
        name: allow_cloudwatch
        properties:
          statementId: AllowExecutionFromCloudWatch
          action: lambda:InvokeFunction
          function: ${testLambda.name}
          principal: events.amazonaws.com
          sourceArn: arn:aws:events:eu-west-1:111122223333:rule/RunDaily
          qualifier: ${testAlias.name}
      testAlias:
        type: aws:lambda:Alias
        name: test_alias
        properties:
          name: testalias
          description: a sample description
          functionName: ${testLambda.name}
          functionVersion: $LATEST
      testLambda:
        type: aws:lambda:Function
        name: test_lambda
        properties:
          code:
            fn::FileArchive: lambdatest.zip
          name: lambda_function_name
          role: ${iamForLambda.arn}
          handler: exports.handler
          runtime: nodejs20.x
      iamForLambda:
        type: aws:iam:Role
        name: iam_for_lambda
        properties:
          name: iam_for_lambda
          assumeRolePolicy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action: sts:AssumeRole
                  Effect: Allow
                  Sid:
                  Principal:
                    Service: lambda.amazonaws.com
    

    With SNS

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const _default = new aws.sns.Topic("default", {name: "call-lambda-maybe"});
    const defaultRole = new aws.iam.Role("default", {
        name: "iam_for_lambda_with_sns",
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Action: "sts:AssumeRole",
                Effect: "Allow",
                Sid: "",
                Principal: {
                    Service: "lambda.amazonaws.com",
                },
            }],
        }),
    });
    const func = new aws.lambda.Function("func", {
        code: new pulumi.asset.FileArchive("lambdatest.zip"),
        name: "lambda_called_from_sns",
        role: defaultRole.arn,
        handler: "exports.handler",
        runtime: aws.lambda.Runtime.Python3d12,
    });
    const withSns = new aws.lambda.Permission("with_sns", {
        statementId: "AllowExecutionFromSNS",
        action: "lambda:InvokeFunction",
        "function": func.name,
        principal: "sns.amazonaws.com",
        sourceArn: _default.arn,
    });
    const lambda = new aws.sns.TopicSubscription("lambda", {
        topic: _default.arn,
        protocol: "lambda",
        endpoint: func.arn,
    });
    
    import pulumi
    import json
    import pulumi_aws as aws
    
    default = aws.sns.Topic("default", name="call-lambda-maybe")
    default_role = aws.iam.Role("default",
        name="iam_for_lambda_with_sns",
        assume_role_policy=json.dumps({
            "Version": "2012-10-17",
            "Statement": [{
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Sid": "",
                "Principal": {
                    "Service": "lambda.amazonaws.com",
                },
            }],
        }))
    func = aws.lambda_.Function("func",
        code=pulumi.FileArchive("lambdatest.zip"),
        name="lambda_called_from_sns",
        role=default_role.arn,
        handler="exports.handler",
        runtime=aws.lambda_.Runtime.PYTHON3D12)
    with_sns = aws.lambda_.Permission("with_sns",
        statement_id="AllowExecutionFromSNS",
        action="lambda:InvokeFunction",
        function=func.name,
        principal="sns.amazonaws.com",
        source_arn=default.arn)
    lambda_ = aws.sns.TopicSubscription("lambda",
        topic=default.arn,
        protocol="lambda",
        endpoint=func.arn)
    
    package main
    
    import (
    	"encoding/json"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/sns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := sns.NewTopic(ctx, "default", &sns.TopicArgs{
    			Name: pulumi.String("call-lambda-maybe"),
    		})
    		if err != nil {
    			return err
    		}
    		tmpJSON0, err := json.Marshal(map[string]interface{}{
    			"Version": "2012-10-17",
    			"Statement": []map[string]interface{}{
    				map[string]interface{}{
    					"Action": "sts:AssumeRole",
    					"Effect": "Allow",
    					"Sid":    "",
    					"Principal": map[string]interface{}{
    						"Service": "lambda.amazonaws.com",
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		json0 := string(tmpJSON0)
    		defaultRole, err := iam.NewRole(ctx, "default", &iam.RoleArgs{
    			Name:             pulumi.String("iam_for_lambda_with_sns"),
    			AssumeRolePolicy: pulumi.String(json0),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewFunction(ctx, "func", &lambda.FunctionArgs{
    			Code:    pulumi.NewFileArchive("lambdatest.zip"),
    			Name:    pulumi.String("lambda_called_from_sns"),
    			Role:    defaultRole.Arn,
    			Handler: pulumi.String("exports.handler"),
    			Runtime: pulumi.String(lambda.RuntimePython3d12),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewPermission(ctx, "with_sns", &lambda.PermissionArgs{
    			StatementId: pulumi.String("AllowExecutionFromSNS"),
    			Action:      pulumi.String("lambda:InvokeFunction"),
    			Function:    _func.Name,
    			Principal:   pulumi.String("sns.amazonaws.com"),
    			SourceArn:   _default.Arn,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = sns.NewTopicSubscription(ctx, "lambda", &sns.TopicSubscriptionArgs{
    			Topic:    _default.Arn,
    			Protocol: pulumi.String("lambda"),
    			Endpoint: _func.Arn,
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using System.Text.Json;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Aws.Sns.Topic("default", new()
        {
            Name = "call-lambda-maybe",
        });
    
        var defaultRole = new Aws.Iam.Role("default", new()
        {
            Name = "iam_for_lambda_with_sns",
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "sts:AssumeRole",
                        ["Effect"] = "Allow",
                        ["Sid"] = "",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["Service"] = "lambda.amazonaws.com",
                        },
                    },
                },
            }),
        });
    
        var func = new Aws.Lambda.Function("func", new()
        {
            Code = new FileArchive("lambdatest.zip"),
            Name = "lambda_called_from_sns",
            Role = defaultRole.Arn,
            Handler = "exports.handler",
            Runtime = Aws.Lambda.Runtime.Python3d12,
        });
    
        var withSns = new Aws.Lambda.Permission("with_sns", new()
        {
            StatementId = "AllowExecutionFromSNS",
            Action = "lambda:InvokeFunction",
            Function = func.Name,
            Principal = "sns.amazonaws.com",
            SourceArn = @default.Arn,
        });
    
        var lambda = new Aws.Sns.TopicSubscription("lambda", new()
        {
            Topic = @default.Arn,
            Protocol = "lambda",
            Endpoint = func.Arn,
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.sns.Topic;
    import com.pulumi.aws.sns.TopicArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.lambda.Function;
    import com.pulumi.aws.lambda.FunctionArgs;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import com.pulumi.aws.sns.TopicSubscription;
    import com.pulumi.aws.sns.TopicSubscriptionArgs;
    import static com.pulumi.codegen.internal.Serialization.*;
    import com.pulumi.asset.FileArchive;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new Topic("default", TopicArgs.builder()
                .name("call-lambda-maybe")
                .build());
    
            var defaultRole = new Role("defaultRole", RoleArgs.builder()
                .name("iam_for_lambda_with_sns")
                .assumeRolePolicy(serializeJson(
                    jsonObject(
                        jsonProperty("Version", "2012-10-17"),
                        jsonProperty("Statement", jsonArray(jsonObject(
                            jsonProperty("Action", "sts:AssumeRole"),
                            jsonProperty("Effect", "Allow"),
                            jsonProperty("Sid", ""),
                            jsonProperty("Principal", jsonObject(
                                jsonProperty("Service", "lambda.amazonaws.com")
                            ))
                        )))
                    )))
                .build());
    
            var func = new Function("func", FunctionArgs.builder()
                .code(new FileArchive("lambdatest.zip"))
                .name("lambda_called_from_sns")
                .role(defaultRole.arn())
                .handler("exports.handler")
                .runtime("python3.12")
                .build());
    
            var withSns = new Permission("withSns", PermissionArgs.builder()
                .statementId("AllowExecutionFromSNS")
                .action("lambda:InvokeFunction")
                .function(func.name())
                .principal("sns.amazonaws.com")
                .sourceArn(default_.arn())
                .build());
    
            var lambda = new TopicSubscription("lambda", TopicSubscriptionArgs.builder()
                .topic(default_.arn())
                .protocol("lambda")
                .endpoint(func.arn())
                .build());
    
        }
    }
    
    resources:
      withSns:
        type: aws:lambda:Permission
        name: with_sns
        properties:
          statementId: AllowExecutionFromSNS
          action: lambda:InvokeFunction
          function: ${func.name}
          principal: sns.amazonaws.com
          sourceArn: ${default.arn}
      default:
        type: aws:sns:Topic
        properties:
          name: call-lambda-maybe
      lambda:
        type: aws:sns:TopicSubscription
        properties:
          topic: ${default.arn}
          protocol: lambda
          endpoint: ${func.arn}
      func:
        type: aws:lambda:Function
        properties:
          code:
            fn::FileArchive: lambdatest.zip
          name: lambda_called_from_sns
          role: ${defaultRole.arn}
          handler: exports.handler
          runtime: python3.12
      defaultRole:
        type: aws:iam:Role
        name: default
        properties:
          name: iam_for_lambda_with_sns
          assumeRolePolicy:
            fn::toJSON:
              Version: 2012-10-17
              Statement:
                - Action: sts:AssumeRole
                  Effect: Allow
                  Sid:
                  Principal:
                    Service: lambda.amazonaws.com
    

    With API Gateway REST API

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const myDemoAPI = new aws.apigateway.RestApi("MyDemoAPI", {
        name: "MyDemoAPI",
        description: "This is my API for demonstration purposes",
    });
    const lambdaPermission = new aws.lambda.Permission("lambda_permission", {
        statementId: "AllowMyDemoAPIInvoke",
        action: "lambda:InvokeFunction",
        "function": "MyDemoFunction",
        principal: "apigateway.amazonaws.com",
        sourceArn: pulumi.interpolate`${myDemoAPI.executionArn}/*`,
    });
    
    import pulumi
    import pulumi_aws as aws
    
    my_demo_api = aws.apigateway.RestApi("MyDemoAPI",
        name="MyDemoAPI",
        description="This is my API for demonstration purposes")
    lambda_permission = aws.lambda_.Permission("lambda_permission",
        statement_id="AllowMyDemoAPIInvoke",
        action="lambda:InvokeFunction",
        function="MyDemoFunction",
        principal="apigateway.amazonaws.com",
        source_arn=my_demo_api.execution_arn.apply(lambda execution_arn: f"{execution_arn}/*"))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/apigateway"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		myDemoAPI, err := apigateway.NewRestApi(ctx, "MyDemoAPI", &apigateway.RestApiArgs{
    			Name:        pulumi.String("MyDemoAPI"),
    			Description: pulumi.String("This is my API for demonstration purposes"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewPermission(ctx, "lambda_permission", &lambda.PermissionArgs{
    			StatementId: pulumi.String("AllowMyDemoAPIInvoke"),
    			Action:      pulumi.String("lambda:InvokeFunction"),
    			Function:    pulumi.Any("MyDemoFunction"),
    			Principal:   pulumi.String("apigateway.amazonaws.com"),
    			SourceArn: myDemoAPI.ExecutionArn.ApplyT(func(executionArn string) (string, error) {
    				return fmt.Sprintf("%v/*", executionArn), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var myDemoAPI = new Aws.ApiGateway.RestApi("MyDemoAPI", new()
        {
            Name = "MyDemoAPI",
            Description = "This is my API for demonstration purposes",
        });
    
        var lambdaPermission = new Aws.Lambda.Permission("lambda_permission", new()
        {
            StatementId = "AllowMyDemoAPIInvoke",
            Action = "lambda:InvokeFunction",
            Function = "MyDemoFunction",
            Principal = "apigateway.amazonaws.com",
            SourceArn = myDemoAPI.ExecutionArn.Apply(executionArn => $"{executionArn}/*"),
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.apigateway.RestApi;
    import com.pulumi.aws.apigateway.RestApiArgs;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var myDemoAPI = new RestApi("myDemoAPI", RestApiArgs.builder()
                .name("MyDemoAPI")
                .description("This is my API for demonstration purposes")
                .build());
    
            var lambdaPermission = new Permission("lambdaPermission", PermissionArgs.builder()
                .statementId("AllowMyDemoAPIInvoke")
                .action("lambda:InvokeFunction")
                .function("MyDemoFunction")
                .principal("apigateway.amazonaws.com")
                .sourceArn(myDemoAPI.executionArn().applyValue(executionArn -> String.format("%s/*", executionArn)))
                .build());
    
        }
    }
    
    resources:
      myDemoAPI:
        type: aws:apigateway:RestApi
        name: MyDemoAPI
        properties:
          name: MyDemoAPI
          description: This is my API for demonstration purposes
      lambdaPermission:
        type: aws:lambda:Permission
        name: lambda_permission
        properties:
          statementId: AllowMyDemoAPIInvoke
          action: lambda:InvokeFunction
          function: MyDemoFunction
          principal: apigateway.amazonaws.com
          sourceArn: ${myDemoAPI.executionArn}/*
    

    With CloudWatch Log Group

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const _default = new aws.cloudwatch.LogGroup("default", {name: "/default"});
    const assumeRole = aws.iam.getPolicyDocument({
        statements: [{
            effect: "Allow",
            principals: [{
                type: "Service",
                identifiers: ["lambda.amazonaws.com"],
            }],
            actions: ["sts:AssumeRole"],
        }],
    });
    const defaultRole = new aws.iam.Role("default", {
        name: "iam_for_lambda_called_from_cloudwatch_logs",
        assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
    });
    const loggingFunction = new aws.lambda.Function("logging", {
        code: new pulumi.asset.FileArchive("lamba_logging.zip"),
        name: "lambda_called_from_cloudwatch_logs",
        handler: "exports.handler",
        role: defaultRole.arn,
        runtime: aws.lambda.Runtime.Python3d12,
    });
    const logging = new aws.lambda.Permission("logging", {
        action: "lambda:InvokeFunction",
        "function": loggingFunction.name,
        principal: "logs.eu-west-1.amazonaws.com",
        sourceArn: pulumi.interpolate`${_default.arn}:*`,
    });
    const loggingLogSubscriptionFilter = new aws.cloudwatch.LogSubscriptionFilter("logging", {
        destinationArn: loggingFunction.arn,
        filterPattern: "",
        logGroup: _default.name,
        name: "logging_default",
    }, {
        dependsOn: [logging],
    });
    
    import pulumi
    import pulumi_aws as aws
    
    default = aws.cloudwatch.LogGroup("default", name="/default")
    assume_role = aws.iam.get_policy_document(statements=[{
        "effect": "Allow",
        "principals": [{
            "type": "Service",
            "identifiers": ["lambda.amazonaws.com"],
        }],
        "actions": ["sts:AssumeRole"],
    }])
    default_role = aws.iam.Role("default",
        name="iam_for_lambda_called_from_cloudwatch_logs",
        assume_role_policy=assume_role.json)
    logging_function = aws.lambda_.Function("logging",
        code=pulumi.FileArchive("lamba_logging.zip"),
        name="lambda_called_from_cloudwatch_logs",
        handler="exports.handler",
        role=default_role.arn,
        runtime=aws.lambda_.Runtime.PYTHON3D12)
    logging = aws.lambda_.Permission("logging",
        action="lambda:InvokeFunction",
        function=logging_function.name,
        principal="logs.eu-west-1.amazonaws.com",
        source_arn=default.arn.apply(lambda arn: f"{arn}:*"))
    logging_log_subscription_filter = aws.cloudwatch.LogSubscriptionFilter("logging",
        destination_arn=logging_function.arn,
        filter_pattern="",
        log_group=default.name,
        name="logging_default",
        opts = pulumi.ResourceOptions(depends_on=[logging]))
    
    package main
    
    import (
    	"fmt"
    
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/cloudwatch"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := cloudwatch.NewLogGroup(ctx, "default", &cloudwatch.LogGroupArgs{
    			Name: pulumi.String("/default"),
    		})
    		if err != nil {
    			return err
    		}
    		assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    			Statements: []iam.GetPolicyDocumentStatement{
    				{
    					Effect: pulumi.StringRef("Allow"),
    					Principals: []iam.GetPolicyDocumentStatementPrincipal{
    						{
    							Type: "Service",
    							Identifiers: []string{
    								"lambda.amazonaws.com",
    							},
    						},
    					},
    					Actions: []string{
    						"sts:AssumeRole",
    					},
    				},
    			},
    		}, nil)
    		if err != nil {
    			return err
    		}
    		defaultRole, err := iam.NewRole(ctx, "default", &iam.RoleArgs{
    			Name:             pulumi.String("iam_for_lambda_called_from_cloudwatch_logs"),
    			AssumeRolePolicy: pulumi.String(assumeRole.Json),
    		})
    		if err != nil {
    			return err
    		}
    		loggingFunction, err := lambda.NewFunction(ctx, "logging", &lambda.FunctionArgs{
    			Code:    pulumi.NewFileArchive("lamba_logging.zip"),
    			Name:    pulumi.String("lambda_called_from_cloudwatch_logs"),
    			Handler: pulumi.String("exports.handler"),
    			Role:    defaultRole.Arn,
    			Runtime: pulumi.String(lambda.RuntimePython3d12),
    		})
    		if err != nil {
    			return err
    		}
    		logging, err := lambda.NewPermission(ctx, "logging", &lambda.PermissionArgs{
    			Action:    pulumi.String("lambda:InvokeFunction"),
    			Function:  loggingFunction.Name,
    			Principal: pulumi.String("logs.eu-west-1.amazonaws.com"),
    			SourceArn: _default.Arn.ApplyT(func(arn string) (string, error) {
    				return fmt.Sprintf("%v:*", arn), nil
    			}).(pulumi.StringOutput),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = cloudwatch.NewLogSubscriptionFilter(ctx, "logging", &cloudwatch.LogSubscriptionFilterArgs{
    			DestinationArn: loggingFunction.Arn,
    			FilterPattern:  pulumi.String(""),
    			LogGroup:       _default.Name,
    			Name:           pulumi.String("logging_default"),
    		}, pulumi.DependsOn([]pulumi.Resource{
    			logging,
    		}))
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var @default = new Aws.CloudWatch.LogGroup("default", new()
        {
            Name = "/default",
        });
    
        var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
        {
            Statements = new[]
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
                {
                    Effect = "Allow",
                    Principals = new[]
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
                        {
                            Type = "Service",
                            Identifiers = new[]
                            {
                                "lambda.amazonaws.com",
                            },
                        },
                    },
                    Actions = new[]
                    {
                        "sts:AssumeRole",
                    },
                },
            },
        });
    
        var defaultRole = new Aws.Iam.Role("default", new()
        {
            Name = "iam_for_lambda_called_from_cloudwatch_logs",
            AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
        });
    
        var loggingFunction = new Aws.Lambda.Function("logging", new()
        {
            Code = new FileArchive("lamba_logging.zip"),
            Name = "lambda_called_from_cloudwatch_logs",
            Handler = "exports.handler",
            Role = defaultRole.Arn,
            Runtime = Aws.Lambda.Runtime.Python3d12,
        });
    
        var logging = new Aws.Lambda.Permission("logging", new()
        {
            Action = "lambda:InvokeFunction",
            Function = loggingFunction.Name,
            Principal = "logs.eu-west-1.amazonaws.com",
            SourceArn = @default.Arn.Apply(arn => $"{arn}:*"),
        });
    
        var loggingLogSubscriptionFilter = new Aws.CloudWatch.LogSubscriptionFilter("logging", new()
        {
            DestinationArn = loggingFunction.Arn,
            FilterPattern = "",
            LogGroup = @default.Name,
            Name = "logging_default",
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                logging,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.cloudwatch.LogGroup;
    import com.pulumi.aws.cloudwatch.LogGroupArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
    import com.pulumi.aws.iam.Role;
    import com.pulumi.aws.iam.RoleArgs;
    import com.pulumi.aws.lambda.Function;
    import com.pulumi.aws.lambda.FunctionArgs;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import com.pulumi.aws.cloudwatch.LogSubscriptionFilter;
    import com.pulumi.aws.cloudwatch.LogSubscriptionFilterArgs;
    import com.pulumi.resources.CustomResourceOptions;
    import com.pulumi.asset.FileArchive;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var default_ = new LogGroup("default", LogGroupArgs.builder()
                .name("/default")
                .build());
    
            final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
                .statements(GetPolicyDocumentStatementArgs.builder()
                    .effect("Allow")
                    .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
                        .type("Service")
                        .identifiers("lambda.amazonaws.com")
                        .build())
                    .actions("sts:AssumeRole")
                    .build())
                .build());
    
            var defaultRole = new Role("defaultRole", RoleArgs.builder()
                .name("iam_for_lambda_called_from_cloudwatch_logs")
                .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
                .build());
    
            var loggingFunction = new Function("loggingFunction", FunctionArgs.builder()
                .code(new FileArchive("lamba_logging.zip"))
                .name("lambda_called_from_cloudwatch_logs")
                .handler("exports.handler")
                .role(defaultRole.arn())
                .runtime("python3.12")
                .build());
    
            var logging = new Permission("logging", PermissionArgs.builder()
                .action("lambda:InvokeFunction")
                .function(loggingFunction.name())
                .principal("logs.eu-west-1.amazonaws.com")
                .sourceArn(default_.arn().applyValue(arn -> String.format("%s:*", arn)))
                .build());
    
            var loggingLogSubscriptionFilter = new LogSubscriptionFilter("loggingLogSubscriptionFilter", LogSubscriptionFilterArgs.builder()
                .destinationArn(loggingFunction.arn())
                .filterPattern("")
                .logGroup(default_.name())
                .name("logging_default")
                .build(), CustomResourceOptions.builder()
                    .dependsOn(logging)
                    .build());
    
        }
    }
    
    resources:
      logging:
        type: aws:lambda:Permission
        properties:
          action: lambda:InvokeFunction
          function: ${loggingFunction.name}
          principal: logs.eu-west-1.amazonaws.com
          sourceArn: ${default.arn}:*
      default:
        type: aws:cloudwatch:LogGroup
        properties:
          name: /default
      loggingLogSubscriptionFilter:
        type: aws:cloudwatch:LogSubscriptionFilter
        name: logging
        properties:
          destinationArn: ${loggingFunction.arn}
          filterPattern:
          logGroup: ${default.name}
          name: logging_default
        options:
          dependson:
            - ${logging}
      loggingFunction:
        type: aws:lambda:Function
        name: logging
        properties:
          code:
            fn::FileArchive: lamba_logging.zip
          name: lambda_called_from_cloudwatch_logs
          handler: exports.handler
          role: ${defaultRole.arn}
          runtime: python3.12
      defaultRole:
        type: aws:iam:Role
        name: default
        properties:
          name: iam_for_lambda_called_from_cloudwatch_logs
          assumeRolePolicy: ${assumeRole.json}
    variables:
      assumeRole:
        fn::invoke:
          Function: aws:iam:getPolicyDocument
          Arguments:
            statements:
              - effect: Allow
                principals:
                  - type: Service
                    identifiers:
                      - lambda.amazonaws.com
                actions:
                  - sts:AssumeRole
    

    With Cross-Account Invocation Policy

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const url = new aws.lambda.FunctionUrl("url", {
        functionName: example.functionName,
        authorizationType: "AWS_IAM",
    });
    const urlPermission = new aws.lambda.Permission("url", {
        action: "lambda:InvokeFunctionUrl",
        "function": example.functionName,
        principal: "arn:aws:iam::444455556666:role/example",
        sourceAccount: "444455556666",
        functionUrlAuthType: "AWS_IAM",
    });
    
    import pulumi
    import pulumi_aws as aws
    
    url = aws.lambda_.FunctionUrl("url",
        function_name=example["functionName"],
        authorization_type="AWS_IAM")
    url_permission = aws.lambda_.Permission("url",
        action="lambda:InvokeFunctionUrl",
        function=example["functionName"],
        principal="arn:aws:iam::444455556666:role/example",
        source_account="444455556666",
        function_url_auth_type="AWS_IAM")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := lambda.NewFunctionUrl(ctx, "url", &lambda.FunctionUrlArgs{
    			FunctionName:      pulumi.Any(example.FunctionName),
    			AuthorizationType: pulumi.String("AWS_IAM"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lambda.NewPermission(ctx, "url", &lambda.PermissionArgs{
    			Action:              pulumi.String("lambda:InvokeFunctionUrl"),
    			Function:            pulumi.Any(example.FunctionName),
    			Principal:           pulumi.String("arn:aws:iam::444455556666:role/example"),
    			SourceAccount:       pulumi.String("444455556666"),
    			FunctionUrlAuthType: pulumi.String("AWS_IAM"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var url = new Aws.Lambda.FunctionUrl("url", new()
        {
            FunctionName = example.FunctionName,
            AuthorizationType = "AWS_IAM",
        });
    
        var urlPermission = new Aws.Lambda.Permission("url", new()
        {
            Action = "lambda:InvokeFunctionUrl",
            Function = example.FunctionName,
            Principal = "arn:aws:iam::444455556666:role/example",
            SourceAccount = "444455556666",
            FunctionUrlAuthType = "AWS_IAM",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lambda.FunctionUrl;
    import com.pulumi.aws.lambda.FunctionUrlArgs;
    import com.pulumi.aws.lambda.Permission;
    import com.pulumi.aws.lambda.PermissionArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var url = new FunctionUrl("url", FunctionUrlArgs.builder()
                .functionName(example.functionName())
                .authorizationType("AWS_IAM")
                .build());
    
            var urlPermission = new Permission("urlPermission", PermissionArgs.builder()
                .action("lambda:InvokeFunctionUrl")
                .function(example.functionName())
                .principal("arn:aws:iam::444455556666:role/example")
                .sourceAccount("444455556666")
                .functionUrlAuthType("AWS_IAM")
                .build());
    
        }
    }
    
    resources:
      url:
        type: aws:lambda:FunctionUrl
        properties:
          functionName: ${example.functionName}
          authorizationType: AWS_IAM
      urlPermission:
        type: aws:lambda:Permission
        name: url
        properties:
          action: lambda:InvokeFunctionUrl
          function: ${example.functionName}
          principal: arn:aws:iam::444455556666:role/example
          sourceAccount: '444455556666'
          functionUrlAuthType: AWS_IAM
    

    Create Permission Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Permission(name: string, args: PermissionArgs, opts?: CustomResourceOptions);
    @overload
    def Permission(resource_name: str,
                   args: PermissionArgs,
                   opts: Optional[ResourceOptions] = None)
    
    @overload
    def Permission(resource_name: str,
                   opts: Optional[ResourceOptions] = None,
                   action: Optional[str] = None,
                   function: Optional[str] = None,
                   principal: Optional[str] = None,
                   event_source_token: Optional[str] = None,
                   function_url_auth_type: Optional[str] = None,
                   principal_org_id: Optional[str] = None,
                   qualifier: Optional[str] = None,
                   source_account: Optional[str] = None,
                   source_arn: Optional[str] = None,
                   statement_id: Optional[str] = None,
                   statement_id_prefix: Optional[str] = None)
    func NewPermission(ctx *Context, name string, args PermissionArgs, opts ...ResourceOption) (*Permission, error)
    public Permission(string name, PermissionArgs args, CustomResourceOptions? opts = null)
    public Permission(String name, PermissionArgs args)
    public Permission(String name, PermissionArgs args, CustomResourceOptions options)
    
    type: aws:lambda:Permission
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PermissionArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var awsPermissionResource = new Aws.Lambda.Permission("awsPermissionResource", new()
    {
        Action = "string",
        Function = "string",
        Principal = "string",
        EventSourceToken = "string",
        FunctionUrlAuthType = "string",
        PrincipalOrgId = "string",
        Qualifier = "string",
        SourceAccount = "string",
        SourceArn = "string",
        StatementId = "string",
        StatementIdPrefix = "string",
    });
    
    example, err := lambda.NewPermission(ctx, "awsPermissionResource", &lambda.PermissionArgs{
    	Action:              pulumi.String("string"),
    	Function:            pulumi.Any("string"),
    	Principal:           pulumi.String("string"),
    	EventSourceToken:    pulumi.String("string"),
    	FunctionUrlAuthType: pulumi.String("string"),
    	PrincipalOrgId:      pulumi.String("string"),
    	Qualifier:           pulumi.String("string"),
    	SourceAccount:       pulumi.String("string"),
    	SourceArn:           pulumi.String("string"),
    	StatementId:         pulumi.String("string"),
    	StatementIdPrefix:   pulumi.String("string"),
    })
    
    var awsPermissionResource = new Permission("awsPermissionResource", PermissionArgs.builder()
        .action("string")
        .function("string")
        .principal("string")
        .eventSourceToken("string")
        .functionUrlAuthType("string")
        .principalOrgId("string")
        .qualifier("string")
        .sourceAccount("string")
        .sourceArn("string")
        .statementId("string")
        .statementIdPrefix("string")
        .build());
    
    aws_permission_resource = aws.lambda_.Permission("awsPermissionResource",
        action="string",
        function="string",
        principal="string",
        event_source_token="string",
        function_url_auth_type="string",
        principal_org_id="string",
        qualifier="string",
        source_account="string",
        source_arn="string",
        statement_id="string",
        statement_id_prefix="string")
    
    const awsPermissionResource = new aws.lambda.Permission("awsPermissionResource", {
        action: "string",
        "function": "string",
        principal: "string",
        eventSourceToken: "string",
        functionUrlAuthType: "string",
        principalOrgId: "string",
        qualifier: "string",
        sourceAccount: "string",
        sourceArn: "string",
        statementId: "string",
        statementIdPrefix: "string",
    });
    
    type: aws:lambda:Permission
    properties:
        action: string
        eventSourceToken: string
        function: string
        functionUrlAuthType: string
        principal: string
        principalOrgId: string
        qualifier: string
        sourceAccount: string
        sourceArn: string
        statementId: string
        statementIdPrefix: string
    

    Permission Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The Permission resource accepts the following input properties:

    Action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    Function string | string
    Name of the Lambda function whose resource policy you are updating
    Principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    EventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    FunctionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    PrincipalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    Qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    SourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    SourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    StatementId string
    A unique statement identifier. By default generated by the provider.
    StatementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    Action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    Function string | string
    Name of the Lambda function whose resource policy you are updating
    Principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    EventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    FunctionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    PrincipalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    Qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    SourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    SourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    StatementId string
    A unique statement identifier. By default generated by the provider.
    StatementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action String
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    function String | String
    Name of the Lambda function whose resource policy you are updating
    principal String
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    eventSourceToken String
    The Event Source Token to validate. Used with Alexa Skills.
    functionUrlAuthType String
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principalOrgId String
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier String
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount String
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn String
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId String
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix String
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    function string | Function
    Name of the Lambda function whose resource policy you are updating
    principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    eventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    functionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId string
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action str
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    function str | str
    Name of the Lambda function whose resource policy you are updating
    principal str
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    event_source_token str
    The Event Source Token to validate. Used with Alexa Skills.
    function_url_auth_type str
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principal_org_id str
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier str
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    source_account str
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    source_arn str
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statement_id str
    A unique statement identifier. By default generated by the provider.
    statement_id_prefix str
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action String
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    function String |
    Name of the Lambda function whose resource policy you are updating
    principal String
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    eventSourceToken String
    The Event Source Token to validate. Used with Alexa Skills.
    functionUrlAuthType String
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principalOrgId String
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier String
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount String
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn String
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId String
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix String
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Permission resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Permission Resource

    Get an existing Permission resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PermissionState, opts?: CustomResourceOptions): Permission
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            event_source_token: Optional[str] = None,
            function: Optional[str] = None,
            function_url_auth_type: Optional[str] = None,
            principal: Optional[str] = None,
            principal_org_id: Optional[str] = None,
            qualifier: Optional[str] = None,
            source_account: Optional[str] = None,
            source_arn: Optional[str] = None,
            statement_id: Optional[str] = None,
            statement_id_prefix: Optional[str] = None) -> Permission
    func GetPermission(ctx *Context, name string, id IDInput, state *PermissionState, opts ...ResourceOption) (*Permission, error)
    public static Permission Get(string name, Input<string> id, PermissionState? state, CustomResourceOptions? opts = null)
    public static Permission get(String name, Output<String> id, PermissionState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    EventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    Function string | string
    Name of the Lambda function whose resource policy you are updating
    FunctionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    Principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    PrincipalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    Qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    SourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    SourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    StatementId string
    A unique statement identifier. By default generated by the provider.
    StatementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    Action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    EventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    Function string | string
    Name of the Lambda function whose resource policy you are updating
    FunctionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    Principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    PrincipalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    Qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    SourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    SourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    StatementId string
    A unique statement identifier. By default generated by the provider.
    StatementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action String
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    eventSourceToken String
    The Event Source Token to validate. Used with Alexa Skills.
    function String | String
    Name of the Lambda function whose resource policy you are updating
    functionUrlAuthType String
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principal String
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    principalOrgId String
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier String
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount String
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn String
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId String
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix String
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action string
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    eventSourceToken string
    The Event Source Token to validate. Used with Alexa Skills.
    function string | Function
    Name of the Lambda function whose resource policy you are updating
    functionUrlAuthType string
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principal string
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    principalOrgId string
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier string
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount string
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn string
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId string
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix string
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action str
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    event_source_token str
    The Event Source Token to validate. Used with Alexa Skills.
    function str | str
    Name of the Lambda function whose resource policy you are updating
    function_url_auth_type str
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principal str
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    principal_org_id str
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier str
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    source_account str
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    source_arn str
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statement_id str
    A unique statement identifier. By default generated by the provider.
    statement_id_prefix str
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.
    action String
    The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
    eventSourceToken String
    The Event Source Token to validate. Used with Alexa Skills.
    function String |
    Name of the Lambda function whose resource policy you are updating
    functionUrlAuthType String
    Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
    principal String
    The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
    principalOrgId String
    The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
    qualifier String
    Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
    sourceAccount String
    This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
    sourceArn String
    When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. Without this, any resource from principal will be granted permission – even if that resource is from another account. For S3, this should be the ARN of the S3 Bucket. For EventBridge events, this should be the ARN of the EventBridge Rule. For API Gateway, this should be the ARN of the API, as described here.
    statementId String
    A unique statement identifier. By default generated by the provider.
    statementIdPrefix String
    A statement identifier prefix. The provider will generate a unique suffix. Conflicts with statement_id.

    Import

    Using pulumi import, import Lambda permission statements using function_name/statement_id with an optional qualifier. For example:

    $ pulumi import aws:lambda/permission:Permission test_lambda_permission my_test_lambda_function/AllowExecutionFromCloudWatch
    
    $ pulumi import aws:lambda/permission:Permission test_lambda_permission my_test_lambda_function:qualifier_name/AllowExecutionFromCloudWatch
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.60.0 published on Tuesday, Nov 19, 2024 by Pulumi