tessl/maven-com-amazonaws--aws-java-sdk-lambda
AWS Java SDK client for communicating with AWS Lambda Service for function management, invocation, and resource control
—
Pending
permissions-policies.mddocs/
Permissions and Policies
Comprehensive permission management for Lambda functions through resource-based policies, enabling fine-grained access control for AWS services, accounts, and external entities to invoke functions.
Capabilities
Function Permission Management
Manages resource-based IAM policies that control who can invoke Lambda functions and under what conditions.
Add Permission
Grants permission for AWS services, accounts, or other entities to invoke a Lambda function.
/**
* Grants permission for AWS service or account to invoke Lambda function
* @param request Permission grant parameters including principal, action, and conditions
* @return AddPermissionResult containing statement ID and updated policy
* @throws ServiceException if service encounters an error
* @throws ResourceNotFoundException if function does not exist
* @throws ResourceConflictException if statement ID already exists
* @throws PolicyLengthExceededException if policy exceeds maximum size limit
* @throws PreconditionFailedException if revision ID mismatch
*/
AddPermissionResult addPermission(AddPermissionRequest request);
public class AddPermissionRequest {
/** Function name (required) - name, ARN, or partial ARN */
private String functionName;
/** Statement ID (required) - unique identifier for permission statement */
private String statementId;
/** Action (required) - lambda:InvokeFunction or lambda:* */
private String action;
/** Principal (required) - AWS service, account ID, or "*" */
private String principal;
/** Source ARN (optional) - ARN of AWS resource triggering invocation */
private String sourceArn;
/** Source account (optional) - AWS account ID for additional security */
private String sourceAccount;
/** Event source token (optional) - token for Alexa Smart Home skills */
private String eventSourceToken;
/** Function version or alias (optional) - defaults to $LATEST */
private String qualifier;
/** Revision ID for optimistic locking (optional) */
private String revisionId;
/** Principal organization ID (optional) - restrict to specific organization */
private String principalOrgId;
/** Function URL auth type (optional) - AWS_IAM or NONE */
private FunctionUrlAuthType functionUrlAuthType;
}
public class AddPermissionResult {
/** JSON representation of updated policy statement */
private String statement;
}Remove Permission
Revokes previously granted permission from a Lambda function's resource-based policy.
/**
* Revokes permission from Lambda function resource-based policy
* @param request Permission revocation parameters including statement ID
* @return RemovePermissionResult indicating successful removal
* @throws ServiceException if service encounters an error
* @throws ResourceNotFoundException if function or statement does not exist
* @throws PreconditionFailedException if revision ID mismatch
*/
RemovePermissionResult removePermission(RemovePermissionRequest request);
public class RemovePermissionRequest {
/** Function name (required) - name, ARN, or partial ARN */
private String functionName;
/** Statement ID (required) - identifier of permission statement to remove */
private String statementId;
/** Function version or alias (optional) - defaults to $LATEST */
private String qualifier;
/** Revision ID for optimistic locking (optional) */
private String revisionId;
}
public class RemovePermissionResult {
// Empty result indicating successful removal
}Get Policy
Retrieves the complete resource-based IAM policy for a Lambda function.
/**
* Retrieves complete resource-based IAM policy document for Lambda function
* @param request Policy retrieval parameters including function name
* @return GetPolicyResult containing policy document and revision ID
* @throws ServiceException if service encounters an error
* @throws ResourceNotFoundException if function or policy does not exist
*/
GetPolicyResult getPolicy(GetPolicyRequest request);
public class GetPolicyRequest {
/** Function name (required) - name, ARN, or partial ARN */
private String functionName;
/** Function version or alias (optional) - defaults to $LATEST */
private String qualifier;
}
public class GetPolicyResult {
/** Resource-based policy document in JSON format */
private String policy;
/** Revision ID for optimistic locking */
private String revisionId;
}Usage Examples
Granting Service Permissions
AWSLambda lambdaClient = AWSLambdaClientBuilder.defaultClient();
// Allow S3 to invoke function for bucket notifications
AddPermissionRequest s3Permission = new AddPermissionRequest()
.withFunctionName("document-processor")
.withStatementId("allow-s3-invoke")
.withAction("lambda:InvokeFunction")
.withPrincipal("s3.amazonaws.com")
.withSourceArn("arn:aws:s3:::my-document-bucket")
.withSourceAccount("123456789012");
AddPermissionResult result = lambdaClient.addPermission(s3Permission);
System.out.println("Added S3 permission: " + result.getStatement());Granting Cross-Account Access
// Allow another AWS account to invoke function
AddPermissionRequest crossAccountPermission = new AddPermissionRequest()
.withFunctionName("shared-api-function")
.withStatementId("allow-partner-account")
.withAction("lambda:InvokeFunction")
.withPrincipal("987654321098"); // Partner account ID
lambdaClient.addPermission(crossAccountPermission);
// Allow specific account with additional organization restriction
AddPermissionRequest orgRestrictedPermission = new AddPermissionRequest()
.withFunctionName("internal-service")
.withStatementId("allow-internal-account")
.withAction("lambda:InvokeFunction")
.withPrincipal("555666777888")
.withPrincipalOrgId("o-example12345"); // Must be in our organization
lambdaClient.addPermission(orgRestrictedPermission);API Gateway Integration
// Grant API Gateway permission to invoke function
AddPermissionRequest apiGatewayPermission = new AddPermissionRequest()
.withFunctionName("api-backend")
.withStatementId("allow-api-gateway")
.withAction("lambda:InvokeFunction")
.withPrincipal("apigateway.amazonaws.com")
.withSourceArn("arn:aws:execute-api:us-east-1:123456789012:abcd123456/*/GET/users");
lambdaClient.addPermission(apiGatewayPermission);
// For REST API with wildcard path
AddPermissionRequest restApiPermission = new AddPermissionRequest()
.withFunctionName("rest-api-handler")
.withStatementId("allow-rest-api")
.withAction("lambda:InvokeFunction")
.withPrincipal("apigateway.amazonaws.com")
.withSourceArn("arn:aws:execute-api:us-east-1:123456789012:*/*/ANY/*");
lambdaClient.addPermission(restApiPermission);EventBridge (CloudWatch Events) Integration
// Allow EventBridge to invoke function
AddPermissionRequest eventBridgePermission = new AddPermissionRequest()
.withFunctionName("event-processor")
.withStatementId("allow-eventbridge")
.withAction("lambda:InvokeFunction")
.withPrincipal("events.amazonaws.com")
.withSourceArn("arn:aws:events:us-east-1:123456789012:rule/my-scheduled-rule");
lambdaClient.addPermission(eventBridgePermission);CloudWatch Logs Integration
// Allow CloudWatch Logs to invoke function for log processing
AddPermissionRequest logsPermission = new AddPermissionRequest()
.withFunctionName("log-analyzer")
.withStatementId("allow-cloudwatch-logs")
.withAction("lambda:InvokeFunction")
.withPrincipal("logs.amazonaws.com")
.withSourceArn("arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/my-function:*");
lambdaClient.addPermission(logsPermission);Alexa Skills Integration
// Allow Alexa Skills Kit to invoke function
AddPermissionRequest alexaPermission = new AddPermissionRequest()
.withFunctionName("alexa-skill-handler")
.withStatementId("allow-alexa")
.withAction("lambda:InvokeFunction")
.withPrincipal("alexa-appkit.amazon.com")
.withEventSourceToken("amzn1.ask.skill.12345678-1234-1234-1234-123456789012");
lambdaClient.addPermission(alexaPermission);Function URL Permissions
// Configure function URL with IAM authentication
AddPermissionRequest functionUrlPermission = new AddPermissionRequest()
.withFunctionName("public-api")
.withStatementId("allow-function-url")
.withAction("lambda:InvokeFunctionUrl")
.withPrincipal("*")
.withFunctionUrlAuthType(FunctionUrlAuthType.NONE); // Public access
lambdaClient.addPermission(functionUrlPermission);Managing Permissions for Aliases
// Grant permission specifically for production alias
AddPermissionRequest prodAliasPermission = new AddPermissionRequest()
.withFunctionName("my-function")
.withQualifier("PROD")
.withStatementId("allow-prod-s3-invoke")
.withAction("lambda:InvokeFunction")
.withPrincipal("s3.amazonaws.com")
.withSourceArn("arn:aws:s3:::production-bucket");
lambdaClient.addPermission(prodAliasPermission);
// Different permission for staging alias
AddPermissionRequest stagingAliasPermission = new AddPermissionRequest()
.withFunctionName("my-function")
.withQualifier("STAGING")
.withStatementId("allow-staging-s3-invoke")
.withAction("lambda:InvokeFunction")
.withPrincipal("s3.amazonaws.com")
.withSourceArn("arn:aws:s3:::staging-bucket");
lambdaClient.addPermission(stagingAliasPermission);Policy Management and Auditing
public class PolicyManager {
private final AWSLambda lambdaClient;
public PolicyManager(AWSLambda lambdaClient) {
this.lambdaClient = lambdaClient;
}
/**
* Audit function permissions and print policy details
*/
public void auditFunctionPermissions(String functionName) {
try {
GetPolicyRequest request = new GetPolicyRequest()
.withFunctionName(functionName);
GetPolicyResult result = lambdaClient.getPolicy(request);
System.out.println("Function: " + functionName);
System.out.println("Policy Revision: " + result.getRevisionId());
System.out.println("Policy Document:");
// Parse and pretty-print JSON policy
ObjectMapper mapper = new ObjectMapper();
JsonNode policy = mapper.readTree(result.getPolicy());
System.out.println(mapper.writerWithDefaultPrettyPrinter().writeValueAsString(policy));
} catch (ResourceNotFoundException e) {
System.out.println("No resource-based policy found for function: " + functionName);
} catch (Exception e) {
System.err.println("Error retrieving policy: " + e.getMessage());
}
}
/**
* Bulk remove permissions by statement ID pattern
*/
public void removePermissionsByPattern(String functionName, String statementIdPattern) {
try {
GetPolicyResult policyResult = lambdaClient.getPolicy(
new GetPolicyRequest().withFunctionName(functionName));
ObjectMapper mapper = new ObjectMapper();
JsonNode policy = mapper.readTree(policyResult.getPolicy());
JsonNode statements = policy.get("Statement");
if (statements.isArray()) {
for (JsonNode statement : statements) {
String sid = statement.get("Sid").asText();
if (sid.matches(statementIdPattern)) {
RemovePermissionRequest removeRequest = new RemovePermissionRequest()
.withFunctionName(functionName)
.withStatementId(sid);
lambdaClient.removePermission(removeRequest);
System.out.println("Removed permission: " + sid);
}
}
}
} catch (ResourceNotFoundException e) {
System.out.println("No policy found for function: " + functionName);
} catch (Exception e) {
System.err.println("Error managing permissions: " + e.getMessage());
}
}
/**
* Safely update permission with revision checking
*/
public void updatePermission(String functionName, String statementId,
String newPrincipal, String sourceArn) {
try {
// Get current policy revision
GetPolicyResult currentPolicy = lambdaClient.getPolicy(
new GetPolicyRequest().withFunctionName(functionName));
// Remove old permission
RemovePermissionRequest removeRequest = new RemovePermissionRequest()
.withFunctionName(functionName)
.withStatementId(statementId)
.withRevisionId(currentPolicy.getRevisionId());
lambdaClient.removePermission(removeRequest);
// Add new permission
AddPermissionRequest addRequest = new AddPermissionRequest()
.withFunctionName(functionName)
.withStatementId(statementId)
.withAction("lambda:InvokeFunction")
.withPrincipal(newPrincipal)
.withSourceArn(sourceArn);
lambdaClient.addPermission(addRequest);
System.out.println("Updated permission: " + statementId);
} catch (PreconditionFailedException e) {
System.err.println("Policy was modified concurrently. Retry required.");
} catch (Exception e) {
System.err.println("Error updating permission: " + e.getMessage());
}
}
}Removing Permissions
// Remove specific permission by statement ID
RemovePermissionRequest removeRequest = new RemovePermissionRequest()
.withFunctionName("my-function")
.withStatementId("allow-s3-invoke");
lambdaClient.removePermission(removeRequest);
System.out.println("Removed S3 invoke permission");
// Remove permission from specific alias
RemovePermissionRequest removeAliasRequest = new RemovePermissionRequest()
.withFunctionName("my-function")
.withQualifier("PROD")
.withStatementId("allow-prod-s3-invoke");
lambdaClient.removePermission(removeAliasRequest);Exception Handling
Common exceptions when managing permissions:
- ResourceNotFoundException: Function, version, alias, or statement does not exist
- ResourceConflictException: Statement ID already exists during permission addition
- PolicyLengthExceededException: Policy document exceeds 20 KB size limit
- PreconditionFailedException: Revision ID mismatch during concurrent modifications
- InvalidParameterValueException: Invalid principal, action, or ARN format
- ServiceException: General service errors
- TooManyRequestsException: Rate limiting exceeded
Best Practices
Security Principles
- Follow least privilege principle - grant minimal necessary permissions
- Use specific source ARNs rather than wildcard principals when possible
- Include source account restrictions for additional security layer
- Regularly audit and review function permissions
Statement Management
- Use descriptive, consistent statement IDs for easier management
- Include version or date in statement IDs for tracking changes
- Document the purpose and business justification for each permission
- Implement automated permission cleanup for unused statements
Cross-Service Integration
- Understand service-specific principal formats (e.g., "s3.amazonaws.com")
- Use appropriate source ARN patterns for different AWS services
- Test permissions thoroughly in non-production environments
- Monitor failed invocations due to permission issues
Policy Organization
- Keep policies organized and well-documented
- Use consistent naming conventions for statement IDs
- Implement version control for policy changes
- Set up monitoring and alerting for policy modifications
Install with Tessl CLI
npx tessl i tessl/maven-com-amazonaws--aws-java-sdk-lambdadocs
account-settings.mdalias-version-management.mdclient-management.mdconcurrency-performance.mdevent-source-mapping.mdfunction-invocation.mdfunction-management.mdfunction-url-management.mdhigh-level-invocation.mdindex.mdlayer-management.mdpermissions-policies.mdruntime-management.mdsecurity-code-signing.mdtagging.mdwaiters-polling.md