When creating an S3 event handler for a Lambda

const input = new aws.s3.Bucket('inputbucket')
input.onObjectCreated('testing',(event,context)=> {
  console.log(event)
},{keyPrefix: ".csv"},)

Is there a way to alter the IAM execution role?

(not part of the pulumi team but i’ve been playing with lots of lambda/api gateway) it’s been easiest for me to create the lambda execution role and policy, associate them, and then associate the role with the lambda function

That's a helpful workflow - where would you suggest I associate the role with the lambda in that example?

are you using

aws.lambda.Function

?

No

yeah, you can - what constructor are you using?

I was just using

bucket.onObjectCreated

and passing in the function code

ah I see - yeah, some of the other constructors wrap

aws.lambda.Function

but if you look to the source code you’ll see you can’t pass all the args you might need through those wrappers 😕

Yeah

hopefully you can find a way to modify 😛 I assume if you can grab the arn (I’d use outputs to dump the data structure of whatever gets created and then pull the arn from that, if it exists) then you can attach a policy to that role

If this is the constructor to use

const testLambda = new aws.lambda.Function("test_lambda", {
    environment: {
        variables: {
            foo: "bar",
        },
    },
    code: new pulumi.asset.FileArchive("lambda_function_payload.zip"),
    name: "lambda_function_name",
    handler: "exports.test",
    role: iamForLambda.arn,
    runtime: "nodejs8.10",
});

I imagine you can backtick it — so :

const testLambda = new aws.lambda.Function("test_lambda", {
    environment: {
        variables: {
            foo: "bar",
        },
    },
    code: ` your code goes here \ 
some more code`,
    name: "lambda_function_name",
    handler: "exports.test",
    role: iamForLambda.arn,
    runtime: "nodejs8.10",
});

hmmm - I'll give that a try!!