Does the SST have a recommended way to grant just one lambda permission to push to a topic? Given https://serverless-stack.com/examples/how-to-use-pub-sub-in-your-serverless-app.html as the example, we are granting the entire Api construct permission to push to the topic. A workaround is to pass in the topic arn only to that lambda's environments. But I'd like more reassurance and would like to stay in the SST garden before I use aws-cdk directly,

@Dennis Dang I think

attachPermissionsToRoute

will do the trick. An example here https://docs.serverless-stack.com/constructs/Api#for-a-specific-route

My previous issue has been solved. This doesn't quite solve my need, but it definitely is a good helper for other lambdas that face an external API. 😄 thanks

@Dennis Dang are you looking for something along these lines?

const topic = new Topic(this, "Topic")

const meFn = new sst.Function(this, "MeFunction", {
  handler: "src/me.handler",
})

meFn.addToRolePolicy(new iam.PolicyStatement({
  actions: ["sns:Publish"],
  effect: iam.Effect.ALLOW,
  resources: [topic.snsTopic.topicArn]
}))

api.addRoute(this, 'GET /me', meFn)

We were looking for a way to define/configure a function to be deployed to Lambda but not to the API Gateway. For internal lambdas that act as the ingress or egress to SQS or pub/sub to SNS, it would be ideal to not expose them beyond the VPC and to not provide any kind of public path to them.

internal lambdas that act as ingress or egress

do you mean a lambda subscribed to a topic or a consumes a queue, like this?

new sst.Queue(this, "Queue", {
  consumer: "src/consumer.main"
})

Ah, so if the path is provided within Queue construct and not Function, it doesn't get attached to API Gateway?

Correct. Only the

routes

added to

sst.Api

respond to API requests.

Perfect sense 👌. Thanks for clarifying