Skip to content

sashee/local-lambda-environment

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Devmode enabled assume role policy

Why

If you develop a Lambda function, your assume role policy looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}

The problem is that you can not assume it with a CLI so that you have no way of running your Lambda function locally with the correct role.

The solution is to allow the current account to assume that role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    },
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "AWS": "<account id>"
      },
      "Effect": "Allow"
    }
  ]
}

But that is a bad idea to leave it on for production, so the addition of that statement should be switchable.

To see how to emulate a real lambda locally, check out the example.

How to use

module "devmode_assume_role_policy" {
  source = "github.com/sashee/local-lambda-environment"

  dev_mode = var.dev_mode
}

resource "aws_iam_role" "lambda_exec" {
  assume_role_policy = module.devmode_assume_role_policy.policy
}

Whenever devmode is true the extra statement is appended. When it's false, the assume role policy is left intact.

There is an optional policy property if you don't want to use the default:

  policy   = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages