Lambda@Edge allows you to run lambda functions in response to CloudFront events. In order to use a lambda function with CloudFront, you need to make sure that your function can assume
edgelambdaidentity. I want to show you an easy way to do it with serverless.
The plugin works great if you deploy and control both your lambda functions and its associations with the CloudFront distributions. You might, however, be deploying a global function that is to be used by different teams on different distributions. Here’s a good example - a function that supports redirecting
/index.html deeper in the URL hierarchy than the site root.
Serverless allows you to define additional IAM role statements in
iamRoleStatements block but doesn’t seem to have a shortcut for the
iamRoleLambdaExecution. You can certainly configure your own custom
IAM::Role but that’s a pretty involved excercise if all you want to achieve is this:
If you don’t define your own
IAM::Role, serverless will create one for you. The easiest way to see how it looks is to run
sls package, look inside your
.serverless folder, and inspect the CloudFormation JSON that will orchestrate your deployment. Look for
IamRoleLambdaExecution in the Resources group.
Serverless carries a template that it uses as a starting point to build the role definition. The good news is that serverless merges it into the list of other resources that you might have defined in your
serverless.yml. Take a look at the code if you want to see how it does it.
And that’s it. Serverless will merge its template over this structure and will keep the
edgelambda principal in there. Enjoy!