Permission

The Permission resource allows you to manage AWS Lambda Permissions that control which services or accounts can invoke your Lambda functions.

Minimal Example

Create a basic permission for a Lambda function to allow invocation from an AWS service (e.g., API Gateway):

import AWS from "alchemy/aws/control";

const lambdaPermission = await AWS.Lambda.Permission("apiGatewayInvokePermission", {
  FunctionName: "myLambdaFunction",
  Action: "lambda:InvokeFunction",
  Principal: "apigateway.amazonaws.com",
  SourceArn: "arn:aws:execute-api:us-east-1:123456789012:myApiId/*"
});

Advanced Configuration

Configure a permission with an event source token for more secure invocation:

const secureLambdaPermission = await AWS.Lambda.Permission("secureInvokePermission", {
  FunctionName: "mySecureLambdaFunction",
  Action: "lambda:InvokeFunction",
  Principal: "events.amazonaws.com",
  SourceArn: "arn:aws:events:us-east-1:123456789012:rule/myEventRule",
  EventSourceToken: "myEventSourceToken"
});

Allow Invocation from a Specific Account

Create a permission that allows a specific AWS account to invoke the Lambda function:

const accountInvokePermission = await AWS.Lambda.Permission("accountInvokePermission", {
  FunctionName: "myAccountLambdaFunction",
  Action: "lambda:InvokeFunction",
  Principal: "123456789012", // The AWS Account ID
  SourceAccount: "123456789012"
});

Using Function URL with Auth Type

Set up a permission for a Lambda function URL with a specific authentication type:

const functionUrlPermission = await AWS.Lambda.Permission("functionUrlPermission", {
  FunctionName: "myFunctionUrlLambda",
  Action: "lambda:InvokeFunction",
  Principal: "*",
  FunctionUrlAuthType: "AWS_IAM"
});