Package software.amazon.awscdk.services.lambda

Class CfnPermission

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.lambda.CfnPermission
All Implemented Interfaces:
IInspectable, IPermissionRef, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.116.0 (build 0eddcff)", date="2025-10-24T13:34:41.191Z") @Stability(Stable) public class CfnPermission extends CfnResource implements IInspectable, IPermissionRef
The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function.

You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.

To grant permission to another account, specify the account ID as the Principal . To grant permission to an organization defined in AWS Organizations , specify the organization ID as the PrincipalOrgID . For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com . For AWS services, you can also specify the ARN of the associated resource as the SourceArn . If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.

If your function has a function URL, you can specify the FunctionUrlAuthType parameter. This adds a condition to your permission that only applies when your function URL's AuthType matches the specified FunctionUrlAuthType . For more information about the AuthType parameter, see Control access to Lambda function URLs .

This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies .

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.lambda.*;
 CfnPermission cfnPermission = CfnPermission.Builder.create(this, "MyCfnPermission")
         .action("action")
         .functionName("functionName")
         .principal("principal")
         // the properties below are optional
         .eventSourceToken("eventSourceToken")
         .functionUrlAuthType("functionUrlAuthType")
         .invokedViaFunctionUrl(false)
         .principalOrgId("principalOrgId")
         .sourceAccount("sourceAccount")
         .sourceArn("sourceArn")
         .build();

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnPermission

      @Stability(Stable) public CfnPermission(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPermissionProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrId

      @Stability(Stable) @NotNull public String getAttrId()

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getPermissionRef

      @Stability(Stable) @NotNull public PermissionReference getPermissionRef()
      A reference to a Permission resource.
      Specified by:
      getPermissionRef in interface IPermissionRef

    • getAction

      @Stability(Stable) @NotNull public String getAction()
      The action that the principal can use on the function.

    • setAction

      @Stability(Stable) public void setAction(@NotNull String value)
      The action that the principal can use on the function.

    • getFunctionName

      @Stability(Stable) @NotNull public String getFunctionName()
      The name or ARN of the Lambda function, version, or alias.

    • setFunctionName

      @Stability(Stable) public void setFunctionName(@NotNull String value)
      The name or ARN of the Lambda function, version, or alias.

    • getPrincipal

      @Stability(Stable) @NotNull public String getPrincipal()
      The AWS service , AWS account , IAM user, or IAM role that invokes the function.

    • setPrincipal

      @Stability(Stable) public void setPrincipal(@NotNull String value)
      The AWS service , AWS account , IAM user, or IAM role that invokes the function.

    • getEventSourceToken

      @Stability(Stable) @Nullable public String getEventSourceToken()
      For Alexa Smart Home functions, a token that the invoker must supply.

    • setEventSourceToken

      @Stability(Stable) public void setEventSourceToken(@Nullable String value)
      For Alexa Smart Home functions, a token that the invoker must supply.

    • getFunctionUrlAuthType

      @Stability(Stable) @Nullable public String getFunctionUrlAuthType()
      The type of authentication that your function URL uses.

    • setFunctionUrlAuthType

      @Stability(Stable) public void setFunctionUrlAuthType(@Nullable String value)
      The type of authentication that your function URL uses.

    • getInvokedViaFunctionUrl

      @Stability(Stable) @Nullable public Object getInvokedViaFunctionUrl()
      Restricts the lambda:InvokeFunction action to function URL calls.

      Returns union: either Boolean or IResolvable

    • setInvokedViaFunctionUrl

      @Stability(Stable) public void setInvokedViaFunctionUrl(@Nullable Boolean value)
      Restricts the lambda:InvokeFunction action to function URL calls.

    • setInvokedViaFunctionUrl

      @Stability(Stable) public void setInvokedViaFunctionUrl(@Nullable IResolvable value)
      Restricts the lambda:InvokeFunction action to function URL calls.

    • getPrincipalOrgId

      @Stability(Stable) @Nullable public String getPrincipalOrgId()
      The identifier for your organization in AWS Organizations .

    • setPrincipalOrgId

      @Stability(Stable) public void setPrincipalOrgId(@Nullable String value)
      The identifier for your organization in AWS Organizations .

    • getSourceAccount

      @Stability(Stable) @Nullable public String getSourceAccount()
      For AWS service , the ID of the AWS account that owns the resource.

    • setSourceAccount

      @Stability(Stable) public void setSourceAccount(@Nullable String value)
      For AWS service , the ID of the AWS account that owns the resource.

    • getSourceArn

      @Stability(Stable) @Nullable public String getSourceArn()
      For AWS services , the ARN of the AWS resource that invokes the function.

    • setSourceArn

      @Stability(Stable) public void setSourceArn(@Nullable String value)
      For AWS services , the ARN of the AWS resource that invokes the function.