AWS is not awesome because of Lambda, S3, DynamoDB, IAM and other services.
It's awesome because you get to combine them together in order to solve your problems.
In this lesson we're going to learn how to use IAM roles and policies effectively in order to allow an AWS Lambda function to list all S3 buckets using the aws-sdk
listBuckets
method.
We're also going to learn what's the principle of least privilege in AWS
Tomasz Łakomy: [0:00] We're going to start by creating a new function, which I'm going to call ListAllMyBuckets. I'm going to leave everything as default and click on Create function. Now, our function is created.
[0:11] We would like this function to be able to list all my S3 buckets to the CloudWatchLogs. In order to do that, we are going to use the Amazon SDK.
[0:19] First, import the Amazon SDK. I'm going to do require aws-sdk. Afterwards, we're going to create a new instance of the S3 class. I'm going to do const s3 = new AWS.S3 like this.
[0:33] Next, we're going to create a variable called myBuckets and I would like this variable to be a result of s3.listBuckets. These buckets by default takes a callback. Since this is an async function, what I can do instead is to do await and return a promise from this function.
[0:53] Let me go ahead and console.log the result of myBuckets. Let me fix this typo is aws-sdk. Let me save this function. I have already created test event. I'm going to click Test in order to test this function. We're going to see that we have an AccessDenied error, and this is by design.
[1:12] The reason it happens is that AWS operates in a principle of least privilege model. What that means is that, every single resource we create in AWS has the minimal amount of permissions in order to get the job done.
[1:25] If we take a look, we're going to see that our function is actually assuming a role. Roles are defined in the Identity and Access Management Console in AWS, and currently, we are assuming an existing role of ListAllMyBuckets role.
[1:39] Let's take a look inside of the console to see what our function is able to do. Here, we can see the summary of this role. We can see that this is an AWSLambdaBasicExecutionRole.
[1:50] If I expand this, basically, we're going to see that this function is allowed to write to CloudWatchLogs and nothing else. I am not able to list on my S3 buckets, because I don't have the permission to do that inside of this function.
[2:03] In order to fix that, we need to attach a new policy to this role. In order to do that, click on Attach policies, and afterwards, search for S3. I'm going to select the S3ReadOnlyAccess because I would like to be able to list the S3 buckets, and not modify them.
[2:16] I'm going to click Attach policy. Now, we can see that we have the BasicExecutionRole from Lambda, but we also get the AmazonS3ReadOnlyAccess for this function. We have this new policy attached.
[2:27] Let's go back to Lambda and click on Test in order to run this function again. Now, our Lambda function works as intended. If I scroll down, I will be able to see the list of all my S3 buckets in this account and in this region.
Sshhhh! Don’t tell anyone about that!
Nice hl3 source code bucket! lol