Serverless Framework: Minimal IAM role Permissions
Serverless framework Tutorials get you started by using a powerful AWS admin user, now you are wondering how to narrow down permissions and making your environment more secure.
After a bit of reading on Serverless’ issue [1] and bashing my head around, this post explains how to chunk permissions into roles, and provide templates withthe minimal needed policies.
The guide below will assume you are working in a “simple project” using:
- AWS Lambda,
- Api Gateway
- SNS
This simple structure can easily be expanded if your project uses other services.
Permissions, Roles and Policies
You need at least three IAM roles:
- Deployment role
- Cloudformation role
- Lambda role
In case your project uses other services you might consider adding more permissions to the `cloudformation role` and to `lambda role`.
Lambda Role
This Role is assumed by your lambda function. Permissions inside are inherently related to the service you are building.
For example, your lambda function queries DynamoDB? then permissions to DynamoDB are required here.
As far as this post goes, I will ignore any further details regarding this role.
Please be aware that depending on what you are doing, you might want to have different roles for each of your lambda functions.
Deployment Role
This role is meant to be assumed when deploying your project.
In other words, before running `sls deploy` you are supposed to assume this role.
Cloudformation Role
This role will be automagically passed by Serverless Framework to `cloudformation.amazon.com` to create the needed resources.
Adding new AWS resources in your `serverless.yml` would probably imply adding some permissions in this role.
Templates
Templates below should allow you to build a Serverless app that has:
- Api Gateways
- Lambda functions
- SNS
Be aware that Serverless framework creates resources with the naming convention:
<SERVICE>-<STAGE>
so if your `serverless.yml` looks like:
your AWS resources will be named as : `sampleproject-stg….`.
Also be aware that templates below assume project is named`sampleproject` for its `stg` environment, make sure to replace those according to your project name.
Serverless.yml
Your `serverless.yml` must specify the parameter: `cfnRole`.
`cfnRole` is the role that Serverless framework will pass in order to run Cloudformation.
Deployment Role’s Policy
Cloudformation Role’s Policy
make sure this role has a trust relationship with cloudformation.
Permissions needed to create resources
There are still some wildcard permissions, but it is a step forward from having all mighty powerful admin role.
If you enjoyed this article please give it a ❤ recommend or share on twitter.
