• Documentation
  • Workato Blog
  • Product Blog
  • Return to Workato
  • Login
  • Automation Institute
  • Documentation
  • Community Forums
New Topic
Discussions Recipe Building Recipe Building Questions
S

Saul Macht

started a topic over 5 years ago
Answered

How can I use Workato to invoke AWS Lambda functions without giving AWSLambdaFullAccess permission to Workato?

Hi, I have successful in using the Workato AWS Lambda connector to trigger Lambda functions. However, I noticed that your connector requires me to give AWSLambdaFullAccess permissions to the API user used by the Workato AWS Lambda connector to connect to AWS.


image



Is there a way for me to just restrict this user to only be able to invoke predefined AWS Lambda functions based on their Amazon Resource Name (ARN)? Essentially, I would like to lockdown Workato's access to my AWS Lambda account and only allow it to invoke predefined Lambda functions. Please let me know if this is possible.


Best Answer
B
Bryan Yap said over 5 years ago

Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:


{
    "Statement": [
        {
            "Action": "lambda:ListFunctions",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "lambda:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"
            ]
        }
    ]
}

 

As shown in the code above, the Workato AWS Lambda connector only requires the following permissions:

  1. Permission to list ALL AWS Lambda functions, which is specified in the policy above as "Resource": "*"
  2. Permission to run just the AWS Lambda function which you desire which you can specify via the Amazon Resource Number (ARN). Shown in the example above as "Resource": ["arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"]

Answer

Bryan Yap

said over 5 years ago

Hi Saul, thanks for reaching out to us! I did a check on this and it seems like it is possible. The IAM Policy below should work for your use case:


{
    "Statement": [
        {
            "Action": "lambda:ListFunctions",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "lambda:*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"
            ]
        }
    ]
}

 

As shown in the code above, the Workato AWS Lambda connector only requires the following permissions:

  1. Permission to list ALL AWS Lambda functions, which is specified in the policy above as "Resource": "*"
  2. Permission to run just the AWS Lambda function which you desire which you can specify via the Amazon Resource Number (ARN). Shown in the example above as "Resource": ["arn:aws:lambda:us-west-2:641923904298:function:newUserCreated"]

Login to post a comment

Still can't find your solution?

Send us a ticket, we will try our best to assist you with your problem

Documentation
Developer's Library
Tutorials
eBooks
Product Hour
Product Blog
Workato Blog
Product updates
Customer Stories
© Workato 2022   Privacy   Terms   +1 (844) 469-6752
  • Documentation
  • Workato Blog
  • Product Blog
  • Solutions
  • Forums
  • Tickets
  • Log in
  • Return to Workato
Topic views count