AMAZON and serverless(3)IAM Managing Permissions with Serverless
IAM- AWS Identity and Access Management
Basic IAM Concepts
Users, roles, permissions
IAM User
User Name/Password, Access KeyID/Secret Access Key will identify a user to AWS to access certain resources.
IAM role
IAM Roles can be assign to an IAM user who needs them.
IAM roles could also be assumed by another AWS service, EC2 instance or a Lambda function.
IAM Permission
Permission contains three elements: Effect, Action, Resource
Effect - Allow, Deny
Action - s3:GetObject serviceName: Action, or ec2: *
Resource - ARN
Sample Policy
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: [
“dynamodb:Query”,
“dynamodb:Scan”,
“dynamodb:GetItem”,
“dynamodb:PutItem”,
“dynamodb:UpdateItem”,
“dynamodb:DeleteItem"
],
“Resource”: “arn:aws:dynamodb:us-west-1:111111111:table/my-new-table"
}
}
IAM entities with the Serverless Framework
IAM user will use the Framework to deploy the Serverless service
IAM role used by a Lambda function when it’s executed.
For deployment with Serverless, your user needs these permissions:
1 Create an S3 bucket for your function deployments
2 Upload your function zip files to that S3 bucket
3 Submit a CloudFormation template
4 Create the log groups for your Lambda functions
5 Create a REST API in API Gateway
6 In that case, Create a DynamoDB table (Optional to other Lambda)
I am admin user in my company. So I just ignore this parts.
For Lambda Functions
In serverless.yml, we can directly add these permissions.
provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
Resource: “arn:aws:dynamodb:us-west-2:111111xxxx:table/my-new-table"
Fn::GetAtt can get the ARN:
resources:
Resources:
MyDynamoTable:
provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
Resource:
Fn::GetAtt:
- MyDynamoTable
- Arn
Or
service:
name: meeting-services
plugins:
- serverless-webpack
custom:
region: ${opt:reqion, 'us-west-1'}
stage: ${opt:stage, 'int'}
acknowledgeTopic: ${self:custom.name}-acknowledge
crudTopic: ${self:custom.name}-crud
provider:
name: aws
runtime: nodejs6.10
region: ${self:custom.region}
timeout: ${self:custom.lambdaTimeout} # The default is 6 seconds. Note: API Gateway current maximum is 30 seconds
environment:
DYNAMODB_TABLE: ${self:custom.meetingsDbName}
LAMBDA_TIMEOUT: ${self:custom.lambdaTimeout}
MEETINGS_ACKNOLEDGE_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.acknowledgeTopic}" ] ] }
MEETINGS_CURD_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.crudTopic}" ] ] }
iamRoleStatements:
- Effect: Allow
Action:
- sns:Publish
Resource: ${self:provider.environment.MEETINGS_CURD_SNS}
You can search and find your Lambda Roles, similar to this meeting-name-stage-us-west-1-lambdaRole
We can deploy like this
> sls deploy --stage int
In the Lambda Function Page, we can easily see the Amazon CloudWatch Logs which I think it is default. The other is Amazon SNS.
References:
https://serverless.com/blog/abcs-of-iam-permissions/
https://serverless-stack.com/chapters/customize-the-serverless-iam-policy.html
IAM- AWS Identity and Access Management
Basic IAM Concepts
Users, roles, permissions
IAM User
User Name/Password, Access KeyID/Secret Access Key will identify a user to AWS to access certain resources.
IAM role
IAM Roles can be assign to an IAM user who needs them.
IAM roles could also be assumed by another AWS service, EC2 instance or a Lambda function.
IAM Permission
Permission contains three elements: Effect, Action, Resource
Effect - Allow, Deny
Action - s3:GetObject serviceName: Action, or ec2: *
Resource - ARN
Sample Policy
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: [
“dynamodb:Query”,
“dynamodb:Scan”,
“dynamodb:GetItem”,
“dynamodb:PutItem”,
“dynamodb:UpdateItem”,
“dynamodb:DeleteItem"
],
“Resource”: “arn:aws:dynamodb:us-west-1:111111111:table/my-new-table"
}
}
IAM entities with the Serverless Framework
IAM user will use the Framework to deploy the Serverless service
IAM role used by a Lambda function when it’s executed.
For deployment with Serverless, your user needs these permissions:
1 Create an S3 bucket for your function deployments
2 Upload your function zip files to that S3 bucket
3 Submit a CloudFormation template
4 Create the log groups for your Lambda functions
5 Create a REST API in API Gateway
6 In that case, Create a DynamoDB table (Optional to other Lambda)
I am admin user in my company. So I just ignore this parts.
For Lambda Functions
In serverless.yml, we can directly add these permissions.
provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
Resource: “arn:aws:dynamodb:us-west-2:111111xxxx:table/my-new-table"
Fn::GetAtt can get the ARN:
resources:
Resources:
MyDynamoTable:
provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
Resource:
Fn::GetAtt:
- MyDynamoTable
- Arn
Or
service:
name: meeting-services
plugins:
- serverless-webpack
custom:
region: ${opt:reqion, 'us-west-1'}
stage: ${opt:stage, 'int'}
acknowledgeTopic: ${self:custom.name}-acknowledge
crudTopic: ${self:custom.name}-crud
provider:
name: aws
runtime: nodejs6.10
region: ${self:custom.region}
timeout: ${self:custom.lambdaTimeout} # The default is 6 seconds. Note: API Gateway current maximum is 30 seconds
environment:
DYNAMODB_TABLE: ${self:custom.meetingsDbName}
LAMBDA_TIMEOUT: ${self:custom.lambdaTimeout}
MEETINGS_ACKNOLEDGE_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.acknowledgeTopic}" ] ] }
MEETINGS_CURD_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.crudTopic}" ] ] }
iamRoleStatements:
- Effect: Allow
Action:
- sns:Publish
Resource: ${self:provider.environment.MEETINGS_CURD_SNS}
You can search and find your Lambda Roles, similar to this meeting-name-stage-us-west-1-lambdaRole
We can deploy like this
> sls deploy --stage int
In the Lambda Function Page, we can easily see the Amazon CloudWatch Logs which I think it is default. The other is Amazon SNS.
References:
https://serverless.com/blog/abcs-of-iam-permissions/
https://serverless-stack.com/chapters/customize-the-serverless-iam-policy.html