How can I use Workato to invoke AWS Lambda functions without giving AWSLambdaFullAccess permission to Workato?
Hi, I have successful in using the Workato AWS Lambda connector to trigger Lambda functions. However, I noticed that your connector requires me to give AWSLambdaFullAccess permissions to the API user used by the Workato AWS Lambda connector to connect to AWS.
Is there a way for me to just restrict this user to only be able to invoke predefined AWS Lambda functions based on their Amazon Resource Name (ARN)? Essentially, I would like to lockdown Workato's access to my AWS Lambda account and only allow it to invoke predefined Lambda functions. Please let me know if this is possible.
Best Answer
B
Bryan Yap
said
over 5 years ago
Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:
As shown in the code above, the Workato AWS Lambda connector only requires the following permissions:
Permission to list ALL AWS Lambda functions, which is specified in the policy above as "Resource": "*"
Permission to run just the AWS Lambda function which you desire which you can specify via the Amazon Resource Number (ARN). Shown in the example above as "Resource": ["arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"]
Answer
Bryan Yap
said
over 5 years ago
Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:
As shown in the code above, the Workato AWS Lambda connector only requires the following permissions:
Permission to list ALL AWS Lambda functions, which is specified in the policy above as "Resource": "*"
Permission to run just the AWS Lambda function which you desire which you can specify via the Amazon Resource Number (ARN). Shown in the example above as "Resource": ["arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"]
Saul Macht
How can I use Workato to invoke AWS Lambda functions without giving AWSLambdaFullAccess permission to Workato?
Hi, I have successful in using the Workato AWS Lambda connector to trigger Lambda functions. However, I noticed that your connector requires me to give AWSLambdaFullAccess permissions to the API user used by the Workato AWS Lambda connector to connect to AWS.
Is there a way for me to just restrict this user to only be able to invoke predefined AWS Lambda functions based on their Amazon Resource Name (ARN)? Essentially, I would like to lockdown Workato's access to my AWS Lambda account and only allow it to invoke predefined Lambda functions. Please let me know if this is possible.
Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:
{ "Statement": [ { "Action": "lambda:ListFunctions", "Effect": "Allow", "Resource": "*" }, { "Action": [ "lambda:*" ], "Effect": "Allow", "Resource": [ "arn:aws:lambda:us-west-2:641923904298:function:newUserCreated" ] } ] }As shown in the code above, the Workato AWS Lambda connector only requires the following permissions:
Bryan Yap
Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:
{ "Statement": [ { "Action": "lambda:ListFunctions", "Effect": "Allow", "Resource": "*" }, { "Action": [ "lambda:*" ], "Effect": "Allow", "Resource": [ "arn:aws:lambda:us-west-2:641923904298:function:newUserCreated" ] } ] }As shown in the code above, the Workato AWS Lambda connector only requires the following permissions: