To Nha Notes | Oct. 13, 2023, 1:19 p.m.
0
I want to grant permissions to AWS Lambda functions in my AWS Serverless Application Model (AWS SAM) application. How do I define a Lambda execution role with scoped permissions in an AWS SAM template?
To define a Lambda execution role in an AWS SAM template, you can use the following AWS::Serverless::Function resource properties:
Note: The Policies and Roles properties can't be used together. Using the Role property is helpful when your execution role requires permissions that are too specific to use predefined policies.
For the Policies property, enter any combination of the following:
Note: AWS SAM policy templates are scoped to specific AWS resources. See Policy template table for a list of policy templates and the permissions that they give to your Lambda functions.
The following are some example AWS SAM YAML templates with Policies defined:
Example AWS SAM YAML template with an AWS managed policy named
AWSTemplateFormatVersion: '2010-09-09' Transform: 'AWS::Serverless-2016-10-31' b Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: index.handler Runtime: nodejs8.10 CodeUri: 's3://my-bucket/function.zip' Policies: # Give the Lambda service access to poll your DynamoDB Stream - AmazonDynamoDBFullAccess
Example AWS SAM YAML template with an AWS SAM policy template (SQSPollerPolicy) defined
MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: !GetAtt MyQueue.QueueName
Example AWS SAM YAML template with an inline policy document defined
AWSTemplateFormatVersion: '2010-09-09' Transform: 'AWS::Serverless-2016-10-31' Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: index.handler Runtime: nodejs8.10 CodeUri: 's3://my-bucket/function.zip' Policies: - Statement: - Sid: SSMDescribeParametersPolicy Effect: Allow Action: - ssm:DescribeParameters Resource: '*' - Sid: SSMGetParameterPolicy Effect: Allow Action: - ssm:GetParameters - ssm:GetParameter Resource: '*'
To set the maximum permissions allowed for your Lambda function's execution role, use an IAM permissions boundary.
To set an IAM permissions boundary, do the following in your AWS SAM YAML template:
Specify the Amazon Resource Name (ARN) of a permissions boundary
For the PermissionsBoundary property, enter the ARN of a permissions boundary. For example:
Properties: PermissionsBoundary: arn:aws:iam::123456789012:policy/LambdaBoundaries
Note: You can define PermissionsBoundary only if you're creating a new role with your AWS SAM template. You can't set a permissions boundary for an existing Role that you specify.
Specify a Lambda execution role
For the Role property, enter one of the following:
Note: If you don't specify a Role in your AWS SAM template, then an execution role is created when you deploy your application. This execution role includes any Policies that you define.
Example AWS SAM YAML template with the Role property defined
AWSTemplateFormatVersion: '2010-09-09' Transform: 'AWS::Serverless-2016-10-31' Resources: MyFunction: Type: 'AWS::Serverless::Function' Properties: Handler: index.handler Runtime: nodejs8.10 CodeUri: 's3://my-bucket/function.zip' Role: arn:aws:iam::111111111111:role/SAMPolicy
1. In the AWS SAM command line interface (AWS SAM CLI), run the sam build command to build and package your application.
Note: If you receive errors when running the AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.
2. Run the sam deploy command to deploy your AWS SAM application package.
For more information, see Building applications and Deploying serverless applications.
AWS Serverless Application Model (AWS SAM) (AWS SAM GitHub repo)
Policy templates (AWS SAM GitHub repo)
Managed policies and inline policies
Validating AWS SAM template files
https://repost.aws/knowledge-center/lambda-sam-template-permissions