The AWS Lambda function that Tonic Structural sets up requires an AWS role. The name of this role is set by the following environment setting:
TONIC_LAMBDA_ROLEThe policy for this role should look like this:
The above policy grants the Lambda function the required access to Amazon SQS, Amazon S3, and CloudWatch.
This policy assumes that the S3 buckets and Amazon SQS queues that are used begin with the tonic- prefix.
After you create the role, you must allow the Lambda service to assume the role.
For the role, the Trust relationships in the AWS IAM role should look like the following:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"sqs:ReceiveMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:SendMessage",
"sqs:DeleteMessage",
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": [
"arn:aws:sqs:*:<aws account id>:tonic-*",
"arn:aws:s3:::tonic-*",
"arn:aws:logs:*:*:*"
]
}]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}