Skip to content

How to add Account Condition to AWS Lambda Permissions in Terraform

If you need to lock an AWS Lambda function down to a source account for security reasons (PCI.Lambda.1) then you can do so by using the source_account option of the aws_lambda_permission Terraform resource type.

resource "aws_lambda_permission" "do_something_with_bucket" { statement_id = "AllowExecutionFromS3Bucket" action = "lambda:InvokeFunction" function_name = module.do_something_with_bucket.arn principal = "" source_arn = var.source_bucket_arn source_account = var.account_id # <---------- here }
Code language: PHP (php)

We have stored the account_id in a variable so that it can be updated when we initialize our Terraform context:

source_account = var.account_id

This will allow the Condition to be populated as below:

"Condition": { "StringEquals": { "AWS:SourceAccount": "xxxxxxxxxxxx" }, }
Code language: JSON / JSON with Comments (json)

See also  How to Empty and Delete an S3 Bucket using the AWS CLI
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x