Lambda function - Under the hood

davidH · October 3, 2022, 5:24pm

What is actually happening under the hood when a Lambda function is given permission for an action? I’m basically asking how IAM works under the hood.

For example, suppose that a lambda function is given permission to put events into an event bus, i.e., events:putEvents

How does the eventbridge really know that the caller has the appropriate permissions? At the end putEvents is nothing but an HTTP call.

kPate · October 3, 2022, 5:46pm

That’s quite a complicated question and given who is in this Slack and the requested level of implementation details, you might not get an answer.

Having built a SaaS that mimics what IAM does but for customers I can share some insight into what we do, but I don’t know how much that is going help. What are you hoping to figure out?

davidH · October 3, 2022, 7:21pm

I needed to call a mutation on AppSync from within Lambda in order to trigger an AppSync subscription.

I wanted to use IAM instead of API Key, but I was not able to do it, and looking at the function, it really makes sense. I would be more surprised if it worked… Because there is nothing in the function code that somehow carries the IAM info.

The function body is more or like this:

	const { id } = event.detail

	const query = `mutation CreateOrUpdateTotal($id: ID!) {
            createOrUpdateTotal(id: $id) {
                 ...fields
            }
        }`

	const payload = {
		query,
		variables: { id },
		operationName: 'CreateOrUpdateTotal'
	}

	await [axios.post](http://axios.post)(graphqlUrl, payload})
}```

davidH · October 3, 2022, 9:16pm

But when there is an aws sdk client, it just works, for example:


new AWS.EventBridge().putEvents({ ... })```
So I’m just assuming that the SDK does something under the hood, and I just don’t see any way other than reading temporary credentials from environment, and adding to the http request headers.

kPate · October 3, 2022, 9:49pm

Appsync doesn’t take IAM credentials as far as I’m aware. Yes the AWS SDK automatically loads your credentials from the current environment to make the call to AWS services

davidH · October 3, 2022, 10:43pm

What do you mean that appsync doesnt take IAM credentials?

davidH · October 3, 2022, 11:16pm

Because it does support IAM Authorization

kPate · October 4, 2022, 1:11am

Well then you need to provide it explicitly into the request

kPate · October 4, 2022, 2:35am

You’ll have to find the instructions for your selected language

kPate · October 4, 2022, 3:16am

It’s not trivially to sign your requests though