Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make a role assumable by given lambda function?

We have this requirement came out of pen testing. I have a lambda function say "add_address" and a role "account_management_role".

I want to make "account_management_role" assumable only by "add_address" lambda function. I do not want any other lambda function to assume this role.

I tried different things, I tried adding this entry in "Trust Relationship" of IAM role. This did not work.

Any one has any idea how to get this to work?

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "<ARN of lambda function>"
        }
      }
    }
  ]
}
like image 477
Nagalakshmi Srirama Avatar asked Aug 21 '17 23:08

Nagalakshmi Srirama


2 Answers

Old one but recently ran into this problem. The answer is the following trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "lambda:FunctionArn": "arn:aws:lambda:eu-west-1:[account_id]:function:testaa"
        }
      }
    }
  ]
}
like image 84
Allister Antosik Avatar answered Sep 29 '22 08:09

Allister Antosik


@nagalakshmi From the given link http://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html in first paragraph they clearly mention it is not supported.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateFunctionPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionToPassAnyRole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::account-id:role/*"
        }
    ]
}

From AWS documentation

The policy has two statements:

The first statement grants permissions for the AWS Lambda action (lambda:CreateFunction) on a resource by using the Amazon Resource Name (ARN) for the Lambda function. Currently, AWS Lambda doesn't support permissions for this particular action at the resource-level. Therefore, the policy specifies a wildcard character (*) as the Resource value.


The second statement grants permissions for the IAM action (iam:PassRole) on IAM roles. The wildcard character () at the end of the Resource value means that the statement allows permission for the iam:PassRole action on any IAM role. To limit this permission to a specific role, replace the wildcard character () in the resource ARN with the specific role name.

On the above statement from documentation they mentioned currently not supporting permissions at resource level.

So they might have in feature request.

like image 45
Mohan Shanmugam Avatar answered Sep 29 '22 07:09

Mohan Shanmugam