I have created a lambda function in AWS for the purpose of accessing resources based on a lookup.
For example: I want to query a dynamoDB table FOO_BAR for a customer FOO via the API Gateway.
The request comes in, I identify its table FOO that's required and I want to be able to apply a policy to my current lambda function/session that will grant access to the FOO_BAR table.
My problem is: for the lambda function to be able to query table FOO_BAR, the execution role configured when creating the lambda function needs to have read access and I don't want to grant any wild card access to this role.
The API used goes through a custom authorizer and here I have applied a policy to access the APIs; I was also hoping that I could get my lambda function to also inherit the policy generated by the custom Authorizer.
Can you dynamically grant permissions to a lambda function to access resources?
Thanks!
Your Lambda function can't inherit permissions from your custom Authorizer.
You can grant permissions or generate new IAM credentials inside your Lambda function and use those for the DynamoDB call via separate client instance.
I'm not sure if your approach provides any security benefits over wildcard. Function that grants permissions to itself has exactly the same security level.