Update Lambda environment variables without redeploying code, deploy code changes with update-function-code, and publish an immutable function version — all from the CLI.
Lesson 403 uses the same devops-lambda-role execution role from Lessons 401 and 402. If you completed either lesson without cleaning up the role, skip the creation commands below and retrieve the ARN directly using the tip. If the role was deleted, run all commands to create it from scratch.
cat > lambda-trust.json << 'POLICY'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole"
}
]
}
POLICYROLE_ARN=$(aws iam create-role \
--role-name devops-lambda-role \
--assume-role-policy-document file://lambda-trust.json \
--query Role.Arn \
--output text)aws iam attach-role-policy \
--role-name devops-lambda-role \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRoleecho "Role ARN: $ROLE_ARN"The trust policy declares lambda.amazonaws.com as the trusted service, allowing Lambda to call sts:AssumeRole and obtain temporary credentials for running your function.
AWSLambdaBasicExecutionRole is the minimum managed policy required by all Lambda functions — it grants the CloudWatch Logs permissions to create log groups, create log streams, and write log events.
ROLE_ARN is captured from the create-role output and used in step 3.
echo prints the role ARN:
Role ARN: arn:aws:iam::123456789012:role/devops-lambda-role
If you see EntityAlreadyExists: Role with name devops-lambda-role already exists, the role is still present from a previous lesson.
Retrieve the ARN and continue: ROLE_ARN=$(aws iam get-role --role-name devops-lambda-role --query Role.Arn --output text) && echo $ROLE_ARN