Closed johnny2lu closed 4 years ago
We can not use the same role as the real Lambda due to the AssumeRolePolicyDocument
only allows the Lambda service to assume it.
Instead the credentials passed to the local Lambda are resolved from the profile specified in the AWS Connection tab of the run configuration.
If you wanted to test as real as possible, you could make a copy of the Lambda role but with a different assume role policy document and use two profiles in your AWS shared credentials files to assume it:
config file:
[default]
aws_access_key_id=..
aws_secret_access_key=..
[profile lambdaTest]
source_profile=default
role_arn = arn:aws:iam::123456789012:role/emulatedLambdaRole
and then set profile:lambdaTest
as the configured profile in the run configuration.
See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
Hope this helps clarify it.
Thanks for the clarification.
My initial process was to have a dedicated lambda execution role with the sts:AssumeRole permission and specify that during runtime, but it looks like I also need to grant that permission to the default profile in order to assume the secondary role.
Your Environment
Question I am trying to specify a Lambda execution role as described here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html for running a local lambda function. Does the toolkit currently support this feature?
I don't see the option to do so other than explicitly specifying
Role: arn:aws:iam::xxxxxxxxxxxxx:role/user
under Properties in the template.yaml file