Understanding Lambda permissions
Lambda functions have two types of permissions:
Execution role → The role the Lambda assumes when running, giving it permissions to access AWS resources.
Resource-based policy → Grants permission to other AWS services or accounts to invoke the function.
Here, EventBridge is another AWS service invoking Lambda, so we need a resource-based policy, not an execution role.
Example AWS CLI Command
aws lambda add-permission \
--function-name MyLambdaFunction \
--statement-id EventBridgeInvoke \
--action lambda:InvokeFunction \
--principal events.amazonaws.com \
--source-arn arn:aws:events:us-east-1:123456789012:rule/MyEventBridgeRule
Explanation of Parameters
| Parameter | Description |
|---|---|
--function-name |
Your Lambda function name |
--statement-id |
A unique identifier for this permission statement |
--action |
The permission action (lambda:InvokeFunction) |
--principal |
The AWS service that will invoke the function (events.amazonaws.com) |
--source-arn |
The Amazon Resource Name (ARN) of the EventBridge rule |
Example Policy JSON
If you want to see what AWS actually applies internally, it will look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:MyLambdaFunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:us-east-1:123456789012:rule/MyEventBridgeRule"
}
}
}
]
}
EventBridge rule
aws events put-rule \
--name MyEventBridgeRule \
--event-pattern '{
"source": ["my.custom.source"],
"detail-type": ["MyDetailType"]
}' \
--state ENABLED
Top comments (0)