In this article, I am going to cover how to secure the AWS lambda function URL using AWS_IAM auth followed by how authenticated IAM users can access the lambda function via function URL.
If you are not aware of what the AWS Lambda function URL is then please refer to my video on How to configure the AWS Lambda function URL.
What does AWS_IAM Authentication type mean when enabled for AWS Lambda function URL?
It means that only authenticated IAM users or roles can invoke the lambda function via the function URL. If they are not authenticated or do not have the necessary permissions then they will not be able to invoke or access the lambda function via URL and they will be greeted with an error message like Forbidden with status code 403.
Login to the AWS Management Console to get started.
Navigate to Lambda Management Console and create the lambda function with the configuration as shown below.
As a part of the Execution role, the first option will create a role with basic permissions which will allow the lambda function to create and write the logs to cloudwatch.
Expand the Advanced Settings — to enable function URL along with AWS_IAM as auth type as shown in below screenshot and click on Create function. You can also enable the function URL after creating the function.
The next step would be to create an IAM user. I am creating the new IAM user just to demonstrate things end-to-end but you can also experiment with an existing IAM user.
Navigate to IAM Management Console → Click Users from left panel → Create User. Follow through the on-screen steps. Do not add/attach any permissions to that IAM user.
Now, if we were to access the lambda function via the function URL when the AWS_IAM Authentication type is enabled, we would require AWS security credentials. So let’s generate the access key & secret access key for the given IAM user.
Open the IAM user → Security credentials → Scroll down to Access keys → Create access key. As the next step, let’s try to invoke the lambda function via the function URL using the generated security credentials with Postman.
Open Postman → Copy & paste the lambda function URL. Under Authorization → Select AWS Signature → Fill the Access Key & Secret key values with IAM user credentials (Generated in the previous step). Under Advanced configuration, enter the appropriate region (in my case it’s us-east-1) and the service name will be lambda because we are accessing/invoking the lambda service. Finally, click on Send to invoke and it will greet you with 403 forbidden because the IAM user does not have permission to access the said lambda function via the function URL
The next step would be to provide the permission. There are two ways to provide permission which is either via Identity-based policy or resource-based policy and I will show you both. The basic difference between Identity-based policy and resource-based policy is that identity-based policies are directly attached to IAM users, groups, or roles, and in this case, we will attach it to IAM user that we have created, whereas resource-based policies are directly attached to resources which defines who can access that resource and in our case the resource is Lambda function where we will define who can access this lambda function via function URL.
Ideally, to successfully invoke the function via URL, the said entity must have InvokeFunctionUrl permission.
Permission via Identity-based policy
Navigate to IAM Management Console → Policies (from left panel) → Create policy → Select JSON view. Copy & paste the below policy and create it. Make sure to replace the ARN with the ARN of your lambda function. Post policy creation, attach the policy to the IAM user.
The above policy says - to allow the InvokeFunctionUrl action on the particular lambda function that is defined as a part of the Resource to the IAM user or identity to which this policy will be attached.
As a next step, open Postman and invoke the function URL again. This time, it will return status code 200 along with “Hello from lambda!” as a response.
Permission via Resource-based policy
In this section, we will configure the resource-based policy. It is something that is attached to the resource (i.e. lambda function). As a first step, please remove the policy that you have attached to the IAM user.
Open the lambda function → Configurations → Permissions → Scroll down to Resource-based policy statements → Add permissions. Configure the policy as shown below.
Replace the Principal with the IAM user ARN → Save and test it again. You should be able to successfully invoke the lambda function via the function URL.
Generating & using temporary security credentials
We were able to invoke the lambda function via the function URL successfully using the IAM user security credentials (i.e. access and secret key), but the keys might get exposed and misused, which is a risk. So, the more promising way is to use temporary credentials which basically expire after a certain time. To do that, we are going to use AWS Security Token Service (AWS STS) to create and use temporary credentials and it is very simple to generate. Follow the below steps (Assuming AWS CLI is already installed).
- Open terminal
aws configure& configure the access key, access secret key & region
- To generate temporary credentials, execute the below command
aws sts get-session-token --duration-seconds 900
The above command will generate the temporary credentials (looks like below), which will be valid for 900 seconds.
As a next step, open Postman. Replace the AccessKey & SecretKey with the new values. Also, paste the sessionToken in the relevant field under Advanced configuration.
If you invoke the URL now, then you will be able to access the lambda function successfully with status code 200. After 15 minutes, these credentials will no longer be valid and need to be regenerated.
I hope you learned something new today. If you like to follow along with me step by step then you can refer to this video.
Thank you for reading!