{# Only certain lambda actions can be restricted to a specific resource #} {# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowApiGateway", "Effect": "Allow", "Action": [ "apigateway:*" ], "Resource": [ "arn:aws:apigateway:{{aws_region}}::/*" ] }, { "Sid": "AllowGetUserForLambdaCreation", "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": [ "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" ] }, { "Sid": "AllowLambdaManagementWithoutResource", "Effect": "Allow", "Action": [ "lambda:CreateEventSourceMapping", "lambda:GetAccountSettings", "lambda:GetEventSourceMapping", "lambda:ListEventSourceMappings", "lambda:ListFunctions", "lambda:ListTags", "lambda:TagResource", "lambda:UntagResource" ], "Resource": "*" }, { "Sid": "AllowLambdaManagementWithResource", "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateAlias", "lambda:CreateFunction", "lambda:DeleteAlias", "lambda:DeleteFunction", "lambda:GetAlias", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:GetPolicy", "lambda:InvokeFunction", "lambda:ListAliases", "lambda:ListVersionsByFunction", "lambda:PublishVersion", "lambda:RemovePermission", "lambda:UpdateAlias", "lambda:UpdateEventSourceMapping", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration" ], "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" }, { "Sid": "AllowLambdaRoleManagement", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" ] } ] }