Aws_lambda_permission conditions

Hello everyone. I’m trying to create a Lambda Resource Policy in AWS using TF. Per the documentation, aws_lambda_permission seems to be the way to do this. However, what seems to be missing is the ability to use conditions.

How can a Lambda resource policy with a condition be created using Terraform?

For example, a resource policy that denies invoking the Lambda based on IP address or originating organization ID:

      "Action": [
      "Effect": "Deny",
      "Resource": ["*"],
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": [
        "StringNotEquals": {
          "aws:PrincipalOrgID": "some_value_here"

It appears the condition is defined in your json block, have you tried running the above into the resource_iam_role -> assume_role_policy? I could be entirely wrong I lean more towards Azure. I can try and spin it up later my AWS and get back to you.

Edited to remove bad code

I understand the assume_role_policy to be separate from the resource policy ( Per that doc, “Unlike an identity-based policy, a resource-based policy specifies who (which principal) can access that resource.”

The resource policy shows up on the Lambda page in the console (under permissions) whereas the assume_role_policy is found on the IAM page.

To answer my own question, it appears that AWS itself does not allow for explicit deny statements nor conditions:

What threw me off is that the CDK implies that it can be done and it looks like there’s an open issue on it:

Nice find, sorry I wasn’t much help I was actually hacking away right now to see what I came up with.

I’d love to hear that conditions really are supported as I think the open issue implies, but none of the AWS docs I found reference it.

I appreciate the help all the same!

1 Like