When you are building AWS Lambda functions, you need to point to an existing one AWS Identity & Access Management (IAM) Role. The role used by an AWS Lambda function must have a Trust Relationship (aka. Assume Role Policy Document) that enables the AWS Lambda service to consume this role, for purposes of invoking the Lambda function in your AWS account. IAM policies that are attached to this IAM role provide your Lambda functions access to resources in your AWS account.
When you have a lot of IAM roles in your AWS account, it can be hard to sort through which existing roles have a Trust Relationship configured with the AWS Lambda service. You can drastically simplify this process with the AWS Tools for PowerShell, by filtering down your list of IAM roles for just the ones that contain the correct Trust Relationship.
Installing AWS Tools for PowerShell
You’ll need to install either the monolithic or service-specific module for AWS Tools for PowerShell.
For the monolithic AWS PowerShell module, run this command:
Install-Module -Name AWSPowerShell.NetCore -Scope CurrentUser -Force
For the AWS IAM service-specific module, use this command:
Install-Module -Name AWS.Tools.IdentityManagement -Scope CurrentUser -Force
Either one of these PowerShell modules will give you access to the PowerShell commands for the AWS IAM service, so you can explore users, roles, policies, and more.
IMPORTANT: You will also need to configure your AWS shared credentials file or run AWS Tools for PowerShell on an EC2 instance with a properly configured EC2 Instance Profile attached to it. This is how you gain access to your AWS account resources.
Listing AWS IAM Roles with PowerShell
You can use the following command to obtain a list of AWS IAM roles in your AWS account. This list will include service-linked IAM roles, as well as customer-defined roles. Thanks to the object-oriented nature of PowerShell, each of these roles is a complex object with properties that describe the role in detail.
By default, some properties are hidden from the default view. If you want to see a full list of properties, either pipe the objects into the
Get-Member command or
Format-List -Property * command.
Get-IAMRoleList | Format-List -Property * # or ... Get-IAMRoleList | Get-Member
Filter IAM Roles for AWS Lambda Trust Policy
PowerShell has a built-in command called
Where-Object, which filters data based on criteria you specify. By default, there is an alias for
Where-Object, which is the
? character. Aliases are not generally recommended for scripts, but can be useful for quick, one-off commands in an interactive PowerShell environment.
The IAM role objects obtained by
Get-IAMRoleList have as
AssumeRolePolicyDocument property, which is a string value. The string contains the URL-encoded JSON text of the Trust Relationship for the role. Hence, we can use regular expressions along with the
Where-Object command to find only IAM Role objects containing a Trust Relationship that includes the AWS Lambda service.
Get-IAMRoleList | ? AssumeRolePolicyDocument -match lambda
The output from the above command will show you a filtered list of AWS IAM roles that include a Trust Relationship for AWS Lambda. It does not validate that the Trust Relationship is defined correctly, but it does specifically look for the text “lambda” somewhere inside the JSON text. Assuming your IAM roles have a correctly-defined Trust Relationship for the AWS Lambda service, then this will help you to easily filter your IAM roles to ones that are compatible with Lambda function.
Select the Amazon Resource Name (ARN) Property from Roles
When you create an AWS Lambda function, you specify the Amazon Resource Name (ARN) for an AWS IAM role. The name of the role is part of the ARN, but you must specify the full ARN, not just the role name. Hence, we can use the PowerShell pipeline to extract the
Arn property from each of the filtered IAM role objects.
To accomplish this, we use the
Select-Object command in PowerShell. You can select one or more properties from objects in the PowerShell pipeline, by specifying the
-Property parameter. In this case, we only want one property, the ARN of the roles.
Get-IAMRoleList | ? AssumeRolePolicyDocument -match 'lambda' | Select-Object -Property Arn
As you can see from the output, we have successfully filtered out the unwanted IAM role properties. Instead, we focused on retrieving the property that we actually need, so we can successfully deploy AWS Lambda functions.
Thanks for reading this article about the AWS Tools for PowerShell and the AWS Identity & Access Management (IAM) service. As you can see, PowerShell makes it incredibly easy to obtain information about your AWS account resources, and filter the data to items that are specifically relevant to your use case.
CBT Nuggets AWS Cloud Automation Course
Please check out my AWS Cloud Automation video training course at CBT Nuggets for more information on AWS automation. If you’re not quite ready for a CBT Nuggets subscription, you can also sign up for a free learner account, to sample our content. You can also join our CBT Nuggets Slack community, where you can interact with trainers and other learners who are exploring the AWS cloud ecosystem!