Within this blog we have a requirement to copy data from one bucket to another bucket using Lambda Function, in order to accomplish the task Lambda needs an additional role in order to perform task for other AWS Services.
So we will use Cloudformation script to create the below AWS Resources.
- IAM Role for Lambda Service.
- Above created Role has attached Inline Policy with the below access.
- ACCESS to two individual Bucket.
- ACCESS to Cloud Watch to perform basic Log Operations
In case if your are looking to use it, replace the below enlisted by yours value.
- Bucket 1 name : mydemodests1
- Bucket 2 name : mydemodests2
- IAM Role name : LambaRoleforS3operation
- Inline Policy name : LambaRoleforS3operation-InlinePolicy
AWSTemplateFormatVersion: 2010-09-09
Description: Lambda role creation for S3 Operation.
Resources:
LambdaIAMRole:
Type: 'AWS::IAM::Role'
Description: "Lambda IAM Role"
Properties:
RoleName: LambaRoleforS3operation
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowLambdaServiceToAssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /service-role/
Policies:
- PolicyName: "LambaRoleforS3operation-InlinePolicy"
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mydemodests1/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mydemodests2/*"
]
}
]
}
- ACCESS to two individual Bucket.
- ACCESS to Cloud Watch to perform basic Log Operations
- Bucket 1 name : mydemodests1
- Bucket 2 name : mydemodests2
- IAM Role name : LambaRoleforS3operation
- Inline Policy name : LambaRoleforS3operation-InlinePolicy
AWSTemplateFormatVersion: 2010-09-09
Description: Lambda role creation for S3 Operation.
Resources:
LambdaIAMRole:
Type: 'AWS::IAM::Role'
Description: "Lambda IAM Role"
Properties:
RoleName: LambaRoleforS3operation
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowLambdaServiceToAssumeRole
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: /service-role/
Policies:
- PolicyName: "LambaRoleforS3operation-InlinePolicy"
PolicyDocument: {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mydemodests1/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mydemodests2/*"
]
}
]
}
No comments:
Post a Comment