How to create an IAM role for Lambda

Topic: Accounts access

Create an IAM role for AWS Lambda so the function can call AWS APIs: trust policy for lambda.amazonaws.com, attach execution and resource policies, and set the role as the function's execution role. Use this so Lambda runs without access keys.

Intent: How-to

Quick answer

  • Create a role with trust policy Principal Service lambda.amazonaws.com; attach policies for basic execution (logs) and for the resources the function needs (e.g. S3, DynamoDB).
  • Set the role as the Lambda function's execution role in the function configuration; Lambda assumes it automatically on each invocation.
  • Optionally restrict the trust policy with a Condition on the function ARN so only your function can assume the role (least privilege on trust).

Prerequisites

Steps

  1. Create the role with Lambda trust policy

    Create an IAM role with assume-role-policy allowing lambda.amazonaws.com; optionally add a Condition StringEquals lambda:FunctionArn to restrict which function can assume the role.

  2. Attach execution and resource policies

    Attach AWSLambdaBasicExecutionRole (or similar) for CloudWatch Logs; attach custom or managed policies for S3, DynamoDB, or other services the function will call.

  3. Set the role as the function execution role

    In Lambda → Function → Configuration → Permissions, set the execution role to the new role; for new functions, choose it at creation. No access keys are stored.

  4. Verify at runtime

    Invoke the function and check that it can call the allowed APIs; use get-caller-identity in the function code to confirm the assumed role ARN; check CloudWatch Logs for permission errors.

Summary

You will create an IAM role for Lambda with a trust policy for the Lambda service, attach permissions for logs and for the resources the function uses, and set the role as the function’s execution role. Use this so Lambda functions access AWS APIs without access keys.

Prerequisites

  • IAM permissions to create roles and attach policies (iam:CreateRole, iam:AttachRolePolicy).
  • A Lambda function (or plan to create one) that needs to call AWS APIs (e.g. S3, DynamoDB, SNS).

Steps

Step 1: Create the role with Lambda trust policy

CLI:

aws iam create-role --role-name my-lambda-exec-role \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {"Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }]
  }'

For least privilege on trust, restrict to a specific function ARN:

"Condition": {
  "StringEquals": {
    "lambda:FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
  }
}

Use this when the role is dedicated to one function. For a shared role, omit the Condition.

Step 2: Attach execution and resource policies

Attach basic execution (for CloudWatch Logs):

aws iam attach-role-policy --role-name my-lambda-exec-role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Attach policies for the resources the function needs (e.g. S3 read for a bucket, DynamoDB read/write for a table). Prefer custom policies with specific Resource ARNs.

Step 3: Set the role as the function execution role

Console: Lambda → Functions → select function → Configuration → Permissions. Under Execution role, edit and select the role you created.

CLI:

aws lambda update-function-configuration --function-name my-function --role arn:aws:iam::123456789012:role/my-lambda-exec-role

Lambda assumes this role on every invocation; no access keys are configured on the function.

Step 4: Verify at runtime

Invoke the function (console Test or CLI). In the function code, you can call aws sts get-caller-identity (or equivalent SDK) and log the returned ARN; it should be the role ARN. Confirm the function can access the allowed resources (e.g. S3 get); if you see AccessDenied, add the required permission to the role.

Verification

  • The role exists with trust policy for lambda.amazonaws.com and the intended permission policies.
  • The Lambda function’s configuration shows this role as the execution role.
  • A test invocation succeeds and get-caller-identity (if logged) shows the role ARN; no access keys are used.

Troubleshooting

Access denied in Lambda — The execution role’s policies may not include the action or resource. Add the required permission; check for resource policies (e.g. S3 bucket policy) that might deny the role. Use the policy simulator with the role ARN.

Role cannot be assumed by Lambda — Ensure the trust policy has Principal Service lambda.amazonaws.com. If you added a Condition on lambda:FunctionArn, ensure the ARN matches the function’s region and account.

Basic execution role missing — Without at least logs permission, the function may fail to start. Attach AWSLambdaBasicExecutionRole or an equivalent policy that allows logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents.

Next steps

Continue to