search

aws / aws-toolkit-jetbrains

AWS Toolkit for JetBrains - a plugin for interacting with AWS from JetBrains IDEs
https://plugins.jetbrains.com/plugin/11349-aws-toolkit
Apache License 2.0
753 stars 219 forks source link

Specify lambda execution role #1946

Closed johnny2lu closed 4 years ago

johnny2lu commented 4 years ago

Your Environment

Question I am trying to specify a Lambda execution role as described here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html for running a local lambda function. Does the toolkit currently support this feature?

I don't see the option to do so other than explicitly specifying Role: arn:aws:iam::xxxxxxxxxxxxx:role/user under Properties in the template.yaml file

abrooksv commented 4 years ago

We can not use the same role as the real Lambda due to the AssumeRolePolicyDocument only allows the Lambda service to assume it.

Instead the credentials passed to the local Lambda are resolved from the profile specified in the AWS Connection tab of the run configuration.

If you wanted to test as real as possible, you could make a copy of the Lambda role but with a different assume role policy document and use two profiles in your AWS shared credentials files to assume it:

config file:

[default]
aws_access_key_id=..
aws_secret_access_key=..

[profile lambdaTest]
source_profile=default
role_arn = arn:aws:iam::123456789012:role/emulatedLambdaRole

and then set profile:lambdaTest as the configured profile in the run configuration.

See: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

Hope this helps clarify it.

johnny2lu commented 4 years ago

Thanks for the clarification.

My initial process was to have a dedicated lambda execution role with the sts:AssumeRole permission and specify that during runtime, but it looks like I also need to grant that permission to the default profile in order to assume the secondary role.