According to the Serverless IAM documentation,
By default, one IAM Role is shared by all of the Lambda functions in your service. An IAM Policy is also created and is attached to that Role. Also by default, your Lambda functions have permission create and write to CloudWatch logs, and if you have specified VPC security groups and subnets for your Functions to use then the EC2 rights necessary to attach to the VPC via an ENI will be added into the default IAM Policy.
To add specific rights to this service-wide Role, define statements in provider.iamRoleStatements
which will be merged into the generated policy.
To invoke a Lambda function from another function, you just need to add the "lambda:InvokeFunction"
action to the existing IAM permissions Serverless already provides. So an example serverless.yml
service should have a iamRoleStatements
section that looks like this:
service: new-service
provider:
name: aws
iamRoleStatements:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource:
- "*"
In reference to the other answer cited:
- the
AWSLambdaBasicExecutionRole
managed policy is already covered by the default Serverless policy;
- the
AWSLambdaExecute
is the incorrect name for the managed policy required (that one only provides S3 get/put access, not InvokeFunction
); the answer probably meant AWSLambdaRole
, which provides the "lambda:InvokeFunction"
permission.