1
00:00:00,130 --> 00:00:01,100
‫So now let's talk

2
00:00:01,100 --> 00:00:03,650
‫about Lambda execution roles and permissions.

3
00:00:03,650 --> 00:00:05,990
‫So we've done a lot of this already through the hands-on

4
00:00:05,990 --> 00:00:08,160
‫so I'm sure that you understand exactly how this works

5
00:00:08,160 --> 00:00:09,350
‫but it's good to go back

6
00:00:09,350 --> 00:00:11,500
‫to a theory lecture just to try it out.

7
00:00:11,500 --> 00:00:14,570
‫So an IAM Role must be attached to your lambda function

8
00:00:14,570 --> 00:00:16,250
‫and this will grant the Lambda function

9
00:00:16,250 --> 00:00:20,120
‫the permission to access AWS services and resources.

10
00:00:20,120 --> 00:00:22,270
‫And there are some simple managed policies for Lambda

11
00:00:22,270 --> 00:00:25,550
‫that we can reuse, for example, the BasicExecutionRole

12
00:00:25,550 --> 00:00:28,300
‫which allowed us to upload logs to CloudWatch,

13
00:00:28,300 --> 00:00:31,370
‫but there is the KinesisExecutionRole to read from Kinesis,

14
00:00:31,370 --> 00:00:34,280
‫the DynamoDBExecutionRole to read from DynamoDB streams,

15
00:00:34,280 --> 00:00:37,180
‫the SQSQueueExecutionRole to read from SQS,

16
00:00:37,180 --> 00:00:40,140
‫the LambdaVPCAccessExecutionRole,

17
00:00:40,140 --> 00:00:42,860
‫which is allowing us to deploy Lambda functions

18
00:00:42,860 --> 00:00:45,450
‫inside our VPC, as we'll see in this section,

19
00:00:45,450 --> 00:00:49,770
‫and the XrayDaemonWriteAccess to upload trace data to X-Ray

20
00:00:49,770 --> 00:00:51,570
‫as we'll see in this section as well.

21
00:00:51,570 --> 00:00:52,850
‫So this are managed policies

22
00:00:52,850 --> 00:00:55,670
‫but we can create obviously our own policy for Lambda.

23
00:00:55,670 --> 00:00:58,860
‫So whenever we use an event source mapping

24
00:00:58,860 --> 00:01:00,480
‫to invoke our function,

25
00:01:00,480 --> 00:01:03,650
‫Lambda is the one thing that we'll be reading the data,

26
00:01:03,650 --> 00:01:06,290
‫and so therefore we must use an execution role

27
00:01:06,290 --> 00:01:08,150
‫to read the event data.

28
00:01:08,150 --> 00:01:10,780
‫In the other way, the Lambda function was invoked

29
00:01:10,780 --> 00:01:14,100
‫by other services so we didn't need a specific IAM Role

30
00:01:14,100 --> 00:01:15,900
‫with some specific permissions.

31
00:01:15,900 --> 00:01:17,160
‫By the way the best practice

32
00:01:17,160 --> 00:01:19,850
‫is to create one Lambda execution role per function,

33
00:01:19,850 --> 00:01:22,310
‫as we've been doing so far in the hands-on.

34
00:01:22,310 --> 00:01:25,040
‫So, this is for the event source mapping,

35
00:01:25,040 --> 00:01:27,200
‫or if our Lambda function actually needs

36
00:01:27,200 --> 00:01:29,460
‫to invoke other services,

37
00:01:29,460 --> 00:01:31,170
‫but what about if our Lambda function

38
00:01:31,170 --> 00:01:33,570
‫is invoked by other services,

39
00:01:33,570 --> 00:01:36,130
‫then we use resource-based policy,

40
00:01:36,130 --> 00:01:38,090
‫and this is to give other accounts

41
00:01:38,090 --> 00:01:40,150
‫or other AWS services permissions

42
00:01:40,150 --> 00:01:41,630
‫to use your Lambda resources,

43
00:01:41,630 --> 00:01:43,600
‫so, to invoke it on the function,

44
00:01:43,600 --> 00:01:46,080
‫and this is very similar to an S3 bucket policy

45
00:01:46,080 --> 00:01:48,080
‫for Amazon S3 buckets.

46
00:01:48,080 --> 00:01:50,760
‫So the rule is that's an IAM principle

47
00:01:50,760 --> 00:01:52,680
‫can access your Lambda function

48
00:01:52,680 --> 00:01:54,620
‫if one of these two things happen.

49
00:01:54,620 --> 00:01:56,500
‫First, the IAM policy attached

50
00:01:56,500 --> 00:01:58,210
‫to the principal authorizes it.

51
00:01:58,210 --> 00:02:00,440
‫So for example, we have our IAM user

52
00:02:00,440 --> 00:02:01,900
‫and we have full permissions,

53
00:02:01,900 --> 00:02:03,190
‫so we can access our Lambda function,

54
00:02:03,190 --> 00:02:04,670
‫this is what we've been doing so far,

55
00:02:04,670 --> 00:02:07,260
‫thanks to our administrator access policy.

56
00:02:07,260 --> 00:02:09,324
‫Or if we have a resource-based policy

57
00:02:09,324 --> 00:02:12,000
‫to authorize access to Lambda function,

58
00:02:12,000 --> 00:02:12,880
‫this is more helpful

59
00:02:12,880 --> 00:02:15,330
‫when you have a service to service access.

60
00:02:15,330 --> 00:02:17,610
‫So we've seen it before, but we'll see it again.

61
00:02:17,610 --> 00:02:20,750
‫When another AWS service like Amazon S3

62
00:02:20,750 --> 00:02:22,650
‫wants to invoke our Lambda function,

63
00:02:22,650 --> 00:02:25,360
‫then we need to make sure the resource-based policy

64
00:02:25,360 --> 00:02:26,193
‫gives it access.

65
00:02:26,193 --> 00:02:27,820
‫And this is something that's the console

66
00:02:27,820 --> 00:02:29,400
‫has unforced behind the scenes,

67
00:02:29,400 --> 00:02:31,320
‫but if you were to do your own integrations,

68
00:02:31,320 --> 00:02:33,230
‫this is where you would do it yourself.

69
00:02:33,230 --> 00:02:35,880
‫So let's go and do the console to see how that works.