Serverless framework Tutorials get you started by using a powerful AWS admin user, now you are wondering how to narrow down permissions and making your environment more secure.
After a bit of reading on Serverless’ issue  and bashing my head around, this post explains how to chunk permissions into roles, and provide templates withthe minimal needed policies.
The guide below will assume you are working in a “simple project” using:
- AWS Lambda,
- Api Gateway
This simple structure can easily be expanded if your project uses other services.
Permissions, Roles and Policies
You need at least three IAM roles:
- Deployment role
- Cloudformation role
- Lambda role
In case your project uses other services you might consider adding more permissions to the `cloudformation role` and to `lambda role`.
This Role is assumed by your lambda function. Permissions inside are inherently related to the service you are building.
For example, your lambda function queries DynamoDB? then permissions to DynamoDB are required here.
As far as this post goes, I will ignore any further details regarding this role.
Please be aware that depending on what you are doing, you might want to have different roles for each of your lambda functions.
This role is meant to be assumed when deploying your project.
In other words, before running `sls deploy` you are supposed to assume this role.
This role will be automagically passed by Serverless Framework to `cloudformation.amazon.com` to create the needed resources.
Adding new AWS resources in your `serverless.yml` would probably imply adding some permissions in this role.
Templates below should allow you to build a Serverless app that has:
- Api Gateways
- Lambda functions
Be aware that Serverless framework creates resources with the naming convention:
so if your `serverless.yml` looks like:
your AWS resources will be named as : `sampleproject-stg….`.
Also be aware that templates below assume project is named`sampleproject` for its `stg` environment, make sure to replace those according to your project name.
Your `serverless.yml` must specify the parameter: `cfnRole`.
`cfnRole` is the role that Serverless framework will pass in order to run Cloudformation.
Deployment Role’s Policy
Cloudformation Role’s Policy
make sure this role has a trust relationship with cloudformation.
Permissions needed to create resources
There are still some wildcard permissions, but it is a step forward from having all mighty powerful admin role.