I am currently exploring ABAC(Attribute-Based Access Control) on AWS. My goal is to grant lambda functions access to certain resources based on tags. For example:
lambdaA has tag project: Alpha
secretManagerDatabaseSecret has tag project: Alpha
lambdaA should have access to retrieve the secret from secretManagerDatabaseSecret.
As from my research I can achieve that by creating custom lambda execution roles and taging them, but I don´t want to create specific execution roles for each lambda function.
I´ve tried creating a general execution role with all permissions(policies with tag conditions) possible and taging only the lambda functions. But in all resources I receive a access denied exception. Is there a way to pass the tags from the lambda functions to the general execution role dynamically and then having access to resouces the lamba function needs? Or is there a way of using the tags only on lambda function and having access to resources?
When using ABAC, the principal tag condition will reference the tags on the Lambda function's execution role, not the function itself. Tags are not dynamic as you describe.
My recommendation is to create a unique execution role per Lambda function. Frameworks like AWS SAM, Serverless Framework, and AWS CDK make this fairly easy though you may need to create the Role separately in some cases to apply the ABAC policy.