Use PowerShell to Find AWS IAM Roles for Lambda Functions

When you are building AWS Lambda functions, you need to point to an existing one AWS Identity & Access Management (IAM) Role. The role used by an AWS Lambda function must have a Trust Relationship (aka. Assume Role Policy Document) that enables the AWS Lambda service to consume this role, for purposes of invoking the Lambda function in your AWS account. IAM policies that are attached to this IAM role provide your Lambda functions access to resources in your AWS account.

When you have a lot of IAM roles in your AWS account, it can be hard to sort through which existing roles have a Trust Relationship configured with the AWS Lambda service. You can drastically simplify this process with the AWS Tools for PowerShell, by filtering down your list of IAM roles for just the ones that contain the correct Trust Relationship.

Installing AWS Tools for PowerShell

You’ll need to install either the monolithic or service-specific module for AWS Tools for PowerShell.

For the monolithic AWS PowerShell module, run this command:

Install-Module -Name AWSPowerShell.NetCore -Scope CurrentUser -Force

For the AWS IAM service-specific module, use this command:

Install-Module -Name AWS.Tools.IdentityManagement -Scope CurrentUser -Force

Either one of these PowerShell modules will give you access to the PowerShell commands for the AWS IAM service, so you can explore users, roles, policies, and more.

IMPORTANT: You will also need to configure your AWS shared credentials file or run AWS Tools for PowerShell on an EC2 instance with a properly configured EC2 Instance Profile attached to it. This is how you gain access to your AWS account resources.

Listing AWS IAM Roles with PowerShell

You can use the following command to obtain a list of AWS IAM roles in your AWS account. This list will include service-linked IAM roles, as well as customer-defined roles. Thanks to the object-oriented nature of PowerShell, each of these roles is a complex object with properties that describe the role in detail.

Get-IAMRoleList

By default, some properties are hidden from the default view. If you want to see a full list of properties, either pipe the objects into the Get-Member command or Format-List -Property * command.

Get-IAMRoleList | Format-List -Property *

# or ...

Get-IAMRoleList | Get-Member

Filter IAM Roles for AWS Lambda Trust Policy

PowerShell has a built-in command called Where-Object, which filters data based on criteria you specify. By default, there is an alias for Where-Object, which is the ? character. Aliases are not generally recommended for scripts, but can be useful for quick, one-off commands in an interactive PowerShell environment.

The IAM role objects obtained by Get-IAMRoleList have as AssumeRolePolicyDocument property, which is a string value. The string contains the URL-encoded JSON text of the Trust Relationship for the role. Hence, we can use regular expressions along with the Where-Object command to find only IAM Role objects containing a Trust Relationship that includes the AWS Lambda service.

Get-IAMRoleList | ? AssumeRolePolicyDocument -match lambda

The output from the above command will show you a filtered list of AWS IAM roles that include a Trust Relationship for AWS Lambda. It does not validate that the Trust Relationship is defined correctly, but it does specifically look for the text “lambda” somewhere inside the JSON text. Assuming your IAM roles have a correctly-defined Trust Relationship for the AWS Lambda service, then this will help you to easily filter your IAM roles to ones that are compatible with Lambda function.

Select the Amazon Resource Name (ARN) Property from Roles

When you create an AWS Lambda function, you specify the Amazon Resource Name (ARN) for an AWS IAM role. The name of the role is part of the ARN, but you must specify the full ARN, not just the role name. Hence, we can use the PowerShell pipeline to extract the Arn property from each of the filtered IAM role objects.

To accomplish this, we use the Select-Object command in PowerShell. You can select one or more properties from objects in the PowerShell pipeline, by specifying the -Property parameter. In this case, we only want one property, the ARN of the roles.

Get-IAMRoleList | ? AssumeRolePolicyDocument -match 'lambda' | Select-Object -Property Arn

As you can see from the output, we have successfully filtered out the unwanted IAM role properties. Instead, we focused on retrieving the property that we actually need, so we can successfully deploy AWS Lambda functions.

Conclusion

Thanks for reading this article about the AWS Tools for PowerShell and the AWS Identity & Access Management (IAM) service. As you can see, PowerShell makes it incredibly easy to obtain information about your AWS account resources, and filter the data to items that are specifically relevant to your use case.

CBT Nuggets AWS Cloud Automation Course

Please check out my AWS Cloud Automation video training course at CBT Nuggets for more information on AWS automation. If you’re not quite ready for a CBT Nuggets subscription, you can also sign up for a free learner account, to sample our content. You can also join our CBT Nuggets Slack community, where you can interact with trainers and other learners who are exploring the AWS cloud ecosystem!