1
00:00:00,005 --> 00:00:01,930
‫Okay. So let's have a look

2
00:00:01,930 --> 00:00:04,330
‫at the different permissions for Lambda.

3
00:00:04,330 --> 00:00:07,380
‫So if you go into the IAM consult, remember

4
00:00:07,380 --> 00:00:10,910
‫that every single Lambda function must have an IAM role.

5
00:00:10,910 --> 00:00:13,070
‫And so if I go into my roles

6
00:00:13,070 --> 00:00:16,300
‫and just look for Lambda in here. We can see

7
00:00:16,300 --> 00:00:19,720
‫we have a lot of Lambda roles right, here available to us.

8
00:00:19,720 --> 00:00:21,420
‫So there is the demo Lambda role

9
00:00:21,420 --> 00:00:23,670
‫the Lambda ALB, the Lambda S3

10
00:00:23,670 --> 00:00:25,430
‫and we have the SQS and so on.

11
00:00:25,430 --> 00:00:27,880
‫So if we look at, for example, the demo Lambda role

12
00:00:27,880 --> 00:00:30,430
‫which was the first Lambda role created

13
00:00:30,430 --> 00:00:32,950
‫there was a Lambda basic execution role attached to this.

14
00:00:32,950 --> 00:00:34,320
‫So this gets attached pretty much

15
00:00:34,320 --> 00:00:38,170
‫to every Lambda role that you create through the console.

16
00:00:38,170 --> 00:00:40,630
‫And if you look at the policy of that role itself

17
00:00:40,630 --> 00:00:43,540
‫we can see that it allows you to create log groups

18
00:00:43,540 --> 00:00:46,840
‫and then send log events into your CloudWatch logs.

19
00:00:46,840 --> 00:00:48,940
‫So the idea right here is really to have this Lambda

20
00:00:48,940 --> 00:00:51,677
‫function, being able to send logs into our logs.

21
00:00:51,677 --> 00:00:55,160
‫And this is why it's called basic execution role.

22
00:00:55,160 --> 00:00:59,730
‫Okay. The next thing we've seen is around resource policies.

23
00:00:59,730 --> 00:01:02,110
‫So whenever our lending function was invoked

24
00:01:02,110 --> 00:01:05,160
‫by an asynchronous type of events

25
00:01:05,160 --> 00:01:08,820
‫so the ALB Lambda S3 or eventbridge.

26
00:01:08,820 --> 00:01:12,240
‫Then if we went into the configuration for permissions

27
00:01:12,240 --> 00:01:14,100
‫we could find at the very bottom

28
00:01:14,100 --> 00:01:16,830
‫that the resource based policy was created

29
00:01:16,830 --> 00:01:19,150
‫and each resource based policy is going to be different.

30
00:01:19,150 --> 00:01:22,100
‫But this one allows our elastic load balancer to

31
00:01:22,100 --> 00:01:23,670
‫invoke a Lambda function.

32
00:01:23,670 --> 00:01:26,760
‫Okay. If we go into Lambda S3, and again

33
00:01:26,760 --> 00:01:28,423
‫go into the permissions.

34
00:01:29,740 --> 00:01:33,390
‫This one allows our S3 buckets that is named demos

35
00:01:33,390 --> 00:01:34,551
‫S3 event Stephane

36
00:01:34,551 --> 00:01:38,540
‫to invoke another function yet again, and eventbridge

37
00:01:38,540 --> 00:01:41,690
‫obviously you'll see the exact same similar thing.

38
00:01:41,690 --> 00:01:44,630
‫So if we scroll down and go to resource based policy

39
00:01:44,630 --> 00:01:46,160
‫we see that events

40
00:01:46,160 --> 00:01:49,750
‫that amazonaws.com is allowed to invoke our function.

41
00:01:49,750 --> 00:01:52,940
‫If it is this rule that we have created from before.

42
00:01:52,940 --> 00:01:53,870
‫So we've seen this

43
00:01:53,870 --> 00:01:55,860
‫and this is very important for you to understand

44
00:01:55,860 --> 00:01:58,110
‫that in asynchronous type of invocations,

45
00:01:58,110 --> 00:02:01,980
‫this is the source that is invoking the Lambda function.

46
00:02:01,980 --> 00:02:04,249
‫But if you go into Lambda SQS

47
00:02:04,249 --> 00:02:07,299
‫and have a look at the permissions tabs

48
00:02:07,299 --> 00:02:08,332
‫this time

49
00:02:08,332 --> 00:02:11,120
‫they will not be any resource based policy.

50
00:02:11,120 --> 00:02:13,360
‫Well that's because the Lambda function is

51
00:02:13,360 --> 00:02:16,010
‫the one invoking the SQS queue

52
00:02:16,010 --> 00:02:19,460
‫pulling data messages from it, and then processing them.

53
00:02:19,460 --> 00:02:22,530
‫And so therefore the execution role, our Lambda

54
00:02:22,530 --> 00:02:25,310
‫function for SQS is the one that we'll need to

55
00:02:25,310 --> 00:02:28,410
‫have the Lambda SQS queue execution role.

56
00:02:28,410 --> 00:02:31,050
‫And this is allowing you to look at the Json.

57
00:02:31,050 --> 00:02:34,480
‫This is going to allow the function to receive messages

58
00:02:34,480 --> 00:02:36,700
‫delete message, get queue attributes

59
00:02:36,700 --> 00:02:40,690
‫and so on, on our Lambda, on our SQS queue.

60
00:02:40,690 --> 00:02:43,400
‫Okay? So this is the different kind of permissions.

61
00:02:43,400 --> 00:02:44,630
‫And so we've seen how they work.

62
00:02:44,630 --> 00:02:46,373
‫So either the Lambda functions gets invoked

63
00:02:46,373 --> 00:02:50,386
‫or the Lambda function is, is invoking a source.

64
00:02:50,386 --> 00:02:53,390
‫And so in one case it will be resource-based policy.

65
00:02:53,390 --> 00:02:54,670
‫And the other one, it will be to

66
00:02:54,670 --> 00:02:57,400
‫modify the IAM role attached to the Lambda function.

67
00:02:57,400 --> 00:02:58,670
‫So hopefully that makes sense

68
00:02:58,670 --> 00:03:00,880
‫and you will be good to go with the exam for this.

69
00:03:00,880 --> 00:03:02,830
‫And I will see you in the next lecture.