Specifying a custom role for lambda with the AWS CDK

Question

I realize it's pretty new but I don't see any examples in any language how you would specify a role for the lambda created with the AWS CDK.

I was attempting to do this

const cdk       = require('@aws-cdk/cdk');

const lambda    = require('@aws-cdk/aws-lambda');

const iam       = require('@aws-cdk/aws-iam');

const path      = require('path');

class MyStack extends cdk.Stack {

    constructor (parent, id, props) {

            super(parent, id, props);

            //

            // Create a lambda...

            const fn = new lambda.Function(this, 'MyFunction-cdktest', {

                runtime: lambda.Runtime.NodeJS810,

                handler: 'index.handler',

                code: lambda.Code.directory( path.join( __dirname, 'lambda')),

                role: iam.RoleName('lambda_basic_execution')

            });

    }

}

class MyApp extends cdk.App {

        constructor (argv) {

                super(argv);

                new MyStack(this, 'hello-cdk');

        }

}

console.log(new MyApp(process.argv).run());

in order to try and specify an existing IAM role for the function but that doesn't seem to be correct syntax. I also would be ok with ( or maybe even prefer ) to generate the custom role on the fly specific to this lambda but I didn't see any examples on how to do that either.

Does anyone have any insight on how to accomplish this?

Answer 1

Lambda will have basic executing permission because when it is created it will get an execution role. For additional permissions, do this:

lambda.addToRolePolicy(new cdk.PolicyStatement()

   .addResource('arn:aws:....')

   .addAction('s3:GetThing'));

Use a convenience function for permissions on some resources:

bucket.grantRead(lambda.role);