Serverless Framework: Minimal IAM role Permissions

David Przybilla
2 min readMay 11, 2018

--

Serverless framework Tutorials get you started by using a powerful AWS admin user, now you are wondering how to narrow down permissions and making your environment more secure.

After a bit of reading on Serverless’ issue [1] and bashing my head around, this post explains how to chunk permissions into roles, and provide templates withthe minimal needed policies.

The guide below will assume you are working in a “simple project” using:

  • AWS Lambda,
  • Api Gateway
  • SNS

This simple structure can easily be expanded if your project uses other services.

Permissions, Roles and Policies

You need at least three IAM roles:

  • Deployment role
  • Cloudformation role
  • Lambda role

In case your project uses other services you might consider adding more permissions to the `cloudformation role` and to `lambda role`.

Lambda Role

This Role is assumed by your lambda function. Permissions inside are inherently related to the service you are building.

For example, your lambda function queries DynamoDB? then permissions to DynamoDB are required here.

As far as this post goes, I will ignore any further details regarding this role.

Please be aware that depending on what you are doing, you might want to have different roles for each of your lambda functions.

Deployment Role

This role is meant to be assumed when deploying your project.

In other words, before running `sls deploy` you are supposed to assume this role.

Cloudformation Role

This role will be automagically passed by Serverless Framework to `cloudformation.amazon.com` to create the needed resources.

Adding new AWS resources in your `serverless.yml` would probably imply adding some permissions in this role.

Templates

Templates below should allow you to build a Serverless app that has:

  • Api Gateways
  • Lambda functions
  • SNS

Be aware that Serverless framework creates resources with the naming convention:

<SERVICE>-<STAGE>

so if your `serverless.yml` looks like:

your AWS resources will be named as : `sampleproject-stg….`.

Also be aware that templates below assume project is named`sampleproject` for its `stg` environment, make sure to replace those according to your project name.

Serverless.yml

Your `serverless.yml` must specify the parameter: `cfnRole`.

`cfnRole` is the role that Serverless framework will pass in order to run Cloudformation.

Deployment Role’s Policy

Cloudformation Role’s Policy

make sure this role has a trust relationship with cloudformation.

Permissions needed to create resources

There are still some wildcard permissions, but it is a step forward from having all mighty powerful admin role.

If you enjoyed this article please give it a ❤ recommend or share on twitter.

--

--

David Przybilla

Software Engineer: Backend, Data and Infra 🗼🇯🇵 @dav009