3

I have created a AWS lambda function and uploaded zipped version of .py file from my local machine using "upload Zip file" option.But when the lambda function is invoked the code is visible on the inline editor.I dont want code to be visible on inline editor as it gives a chance to someone to edit the code..

Please suggest!!

Improve this question
4
  • 1
    What exactly is your concern? Is it that somebody with access to your AWS account could modify the code? If that's the case, then "hiding" it would not solve the problem - anybody with access to your account would be able to download it, modify it and re-upload it. If that's not your concern, could you please explain a bit better what exactly it is? Commented Jul 21, 2016 at 1:58
  • @Bruno Reis I'll upload zip in s3 and restrict access to bucket..but when lambda is triggered code is getting visible in inline editor.. Commented Jul 21, 2016 at 3:00
  • 1
    The "inline editor" -- you are talking about the editor in the AWS console? If yes, then it does not make sense that you consider this to be a problem. If no, then please explain what the "inline editor" is. Commented Jul 21, 2016 at 4:13
  • Other users of your account will only be able to see the code if they have IAM privileges to do so. If you can't control those or don't want anyone else to be able to see your code, use your own account. Commented Jul 21, 2016 at 6:32

2 Answers 2

Reset to default
3

The code for Lambda functions will always be available to either edit in the inline editor or download (Actions > Download function code).

I'm assuming your concern might be secrets or credentials that might be present in the code, then the issue here isn't that the code is readable or downloadable from the console but that you're not sufficiently protecting them. Take a look at the following question on Stack Overflow which answers this: How to (properly) use external credentials in an AWS Lambda function?

You can still restrict access to Lambda for other IAM users in your AWS account with an access policy statement like this:

{
  "Action": "lambda:*",
  "Effect": "Deny",
  "Resource": "arn:aws:lambda:<region>:<account>:*"
}

Or be more specific if you simply want do deny access to listing and displaying Lambda functions with lambda:GetFunction, lambda:GetFunctionConfiguration.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Should I add this policy to my IAM role or all other IAM roles in the aws account??
@shiv455 to all other IAM then, you could create a group with this policy and attach the users to that group.
Even though I add this policy the code is still readable to everyone(under same aws account in my case Dev account) after lambda is executed at least once .please correct me if I'm wrong..I saw some of the lambda functions created are always not visible(lambda code not function itself) in aws console ..when I try to click on the function it shows upload option but not the actual code
@shiv455 did you replace <region> and <account> with the region that this applies to and your account ID? (Account name in top right > My account)
I cannot add this policy to all other Iam roles under account I should be able to manage permissions on lambda function which I own right??in previous comment I'm saying even though(assuming I added) I added this policy ,code would be still visible
|
-3

Maybe late here, but I faced this same problem.

What Worked for me :

  • Increased the size of the ZIP to >10MB (You can add any extra directory to the zip if code doesn't sum up to 10 MB).
  • Zipped the files and kept the index.js (for node runtime, you may use .py) in the root directory.
  • Uploaded file on S3 (direct uploading your ZIP also works).

On Saving the Function you will see the following:

ⓘ The deployment package of your Lambda function "function_name" is too large to enable inline code editing. However, you can still invoke your function right now.

Only concern is, it may add up to your S3 bills (~10 MB).

Improve this answer

2 Comments

Artificially inflating the size of your lambda will slow down cold starts, cost you more, and people can still get your code by hitting the Download function code button.
Inflating the size of the package is not a mechanism because the code is still available for download in Actions->Export Function

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.