# via Managed Policy
To grant Lambda necessary permissions to dig in to a VPC where a production RDS db resides in a private subnet.
As mentioned by @portatlas above, the AWSLambdaVPCAccessExecutionRole managed policy fits like a glove (and we all know use of IAM Managed Policies is an AWS-recommended best-practice).
This is for Lambdas with a service role already attached.
AWS CLI
1. Get Lambda Service Role
Ask Lambda API for function configuration, query the role from that, output to text for an unquoted return.
```bash
aws lambda get-function-configuration \
    --function-name <<your function name or ARN here>> \
    --query Role \
    --output text
```
return, take your-service-role-name to #2
your-service-role-name


2. Attach Managed Policy AWSLambdaVPCAccessExecutionRole to Service Role

```bash
aws iam attach-role-policy \
    --role-name your-service-role-name \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
```