Closed flux627 closed 7 years ago
rschick
commented
7 years ago Hi @flux627 thanks for the PR! Are you sure you can use user accounts as the principal in lambda resource policies? I can't find any examples, but haven't tried it. Have you verified that it works?
flux627
commented
7 years ago Yes, I am currently using this in a project. It was the only way I could grant cross-account Invoke access to a Lambda function without having the root credentials to the opposing account (in this case my client's AWS account). I only have access to an IAM user, and this plugin wasn't working by just adding the IAM user's parent account number.
I found this,
http://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html
which is specifically for S3, but it says,
The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource.
and through my tests, it seems this is the case for all Principal elements, no matter the resource type.
This gives the ability to grant access to full ARNs in addition to account numbers. You just put the ARN where you would put the account number: