This is quick ‘remind me’ post. To create role use following command:
aws iam create-role --role-name Test-Role --assume-role-policy-document file://role.json
Below role.json is trust relationship document that tells AWS that newly created entity assumes role of AWS Lambda.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
To make role usable we need to attach policies, in this case I attach inline policy:
aws iam put-role-policy --role-name Test-Role --policy-name ExamplePolicy --policy-document file://policy.json
Here in policy.json we are describing what action are allowed for our new role. In this case
our Lambda can interact with DynamoDB and CloudWatch.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams",
"dynamodb:PutItem",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
To delete role first we need to remove all policies attached. We can list policies attached to role using:
aws iam list-role-policies --role-name Test-Role
To remove policy:
aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy
Finally to delete role:
aws iam delete-role --role-name Test-Role