Does the SST have a recommended way to grant just ...
# sst
Does the SST have a recommended way to grant just one lambda permission to push to a topic? Given as the example, we are granting the entire Api construct permission to push to the topic. A workaround is to pass in the topic arn only to that lambda's environments. But I'd like more reassurance and would like to stay in the SST garden before I use aws-cdk directly,
I'll re-post this question in the forum once I find a solution.
Of course, per rubber duck effect, we now have
But on this note, how can we connect a separately defined
and attach to it the
construct? cc @Dmitry Pavluk
@Dennis Dang I think
will do the trick. An example here
My previous issue has been solved. This doesn't quite solve my need, but it definitely is a good helper for other lambdas that face an external API. 😄 thanks
@Dennis Dang are you looking for something along these lines?
Copy code
const topic = new Topic(this, "Topic")

const meFn = new sst.Function(this, "MeFunction", {
  handler: "src/me.handler",

meFn.addToRolePolicy(new iam.PolicyStatement({
  actions: ["sns:Publish"],
  effect: iam.Effect.ALLOW,
  resources: [topic.snsTopic.topicArn]

api.addRoute(this, 'GET /me', meFn)
We were looking for a way to define/configure a function to be deployed to Lambda but not to the API Gateway. For internal lambdas that act as the ingress or egress to SQS or pub/sub to SNS, it would be ideal to not expose them beyond the VPC and to not provide any kind of public path to them.
internal lambdas that act as ingress or egress
do you mean a lambda subscribed to a topic or a consumes a queue, like this?
Copy code
new sst.Queue(this, "Queue", {
  consumer: "src/consumer.main"
Ah, so if the path is provided within Queue construct and not Function, it doesn't get attached to API Gateway?
Correct. Only the
added to
respond to API requests.
Functions defined in other constructs, ie.
in a
will only get invoked when a message is sent to the SNS topic.
let me know if that makes sense.
Perfect sense 👌. Thanks for clarifying