IAM Policy to Invoke a Lambda Function
Create an IAM policy allowing invocation of a specific Lambda function. Minimal permissions for services or users that only need to call the function.
Detailed Explanation
Lambda Invoke-Only Policy
When a service (like API Gateway, another Lambda, or an application) needs to call a Lambda function but should not be able to view its code, configuration, or modify it in any way, a minimal invoke-only policy is the right approach.
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaInvoke",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
}
]
}
Resource Scoping
- Specific function:
arn:aws:lambda:us-east-1:123456789012:function:my-function— limits to one function. - All versions and aliases: Add
:*at the end —arn:aws:lambda:us-east-1:123456789012:function:my-function:* - All functions in an account:
arn:aws:lambda:us-east-1:123456789012:function:*— broader but sometimes necessary. - Cross-region: Specify the region in the ARN, or use
*for all regions.
What InvokeFunction Covers
The lambda:InvokeFunction action covers both synchronous (RequestResponse) and asynchronous (Event) invocations. It also covers DryRun invocations used for validation.
Separate from Execution Role
This policy goes on the caller (the entity that invokes the function). The Lambda function's own permissions — what AWS services it can access — are defined in its execution role, which is a separate IAM role.
Use Case
API Gateway backends, event-driven microservices, step function workflows, or application servers that need to trigger a Lambda function without managing its code or configuration.