Clayton
11/08/2021, 8:51 PM<http://events.amazonaws.com|events.amazonaws.com>
) and then add/manage Policy Statement(s) on these?
• if so, in SST does .attachPermissions
automatically create the necessary Roles/Principal assignments in the background when you reference a permitted construct or explicitly add a Policy Statement?
• on the SST Function construct it looks like there’s another method of .addPermission
– I don’t see any notes for this in the docs; how or when should this be used, if at all?thdxr
11/08/2021, 9:02 PMthdxr
11/08/2021, 9:02 PMClayton
11/08/2021, 9:41 PM.attachPermissions
on other constructs (outside of Functions)?
And is the .addPermission
method on Function ever applicable?thdxr
11/08/2021, 9:52 PM.addPermission
is the same as specifying the permissions: []
array when creatingthdxr
11/08/2021, 9:53 PM.attachPermissions
function - can you give me an example? I typically use the grantX
to attach to a functionClayton
11/08/2021, 9:59 PM.attachPermissions
I thought that was the main method to utilize since it’s in the one listed on the Function and Permissions docs -
https://docs.serverless-stack.com/constructs/Function#attachpermissions
https://docs.serverless-stack.com/util/Permissions
Maybe I’m not following what you mean about using `grantX`; isn’t that the property option used inside permissions:
/ attachPermissions
array?Frank
.addPermission
is a native CDK method. And since sst.Function
extends CDK’s lambda.Function
, .addPermission
is there, but you shouldn’t need to use it.
.attachPermission
provides a much simpler way to give permissions to a function. It can take a ALL
to grant administrator access; a string like sns
to grant all permissions to all SNS topics; a string like sns:PublishMessage
to grant publish permission to all SNS topics; a construct like sst.Topic
to grant publish permission to the given SNS topic, etc as described in the doc https://docs.serverless-stack.com/util/PermissionsFrank
thdxr
11/11/2021, 3:06 AMClayton
11/11/2021, 4:06 PM.attachPermissions
be used the same way against all SST constructs (e.g. Api, EventBus, KinesisStream) or is it primarily intended to be used with Functions?Frank
myFn.attachPermissions(["sns"])
allows u to make AWS SNS sdk callsFrank
.attachPermissions
idea doesn’t apply to other constructs.Frank
Clayton
11/11/2021, 8:51 PM.attachPermissions
was doing under the hood making it applicable to things outside of Functions.
So, for example, if I had an EventBridge event bus that I wanted to be able to put events to a Kinesis Stream I could replace something like this -
const bus = new sst.EventBus(this, 'Bus');
const stream = new sst.KinesisStream(this, 'Stream');
...plus rule that connects bus to stream
...roles & permissions to allow bus to access stream
const busRole = new iam.Role(this, 'BusRole', {
assumedBy: new iam.ServicePrincipal('<http://events.amazonaws.com|events.amazonaws.com>'),
});
busRole.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['kinesis:PutRecord', 'kinesis:PutRecords'],
resources: [stream.streamArn],
})
);
with -
bus, stream and rule creation...
...roles & permissions for bus to access stream
bus.attachPermissions([
[stream, 'grantWrite'],
]);
There’s a 100% chance I don’t understand the underlying pieces permissions yet — but trying to understand when / where I should use SST’s permissions conveniences vs doing something more explicitly via CDK.Clayton
11/11/2021, 9:00 PM.attachPermissions
as an available method on other SST constructs, e.(g. EventBus, KinesisStream, etc). Is it meant to do something different in those contexts?Frank
.attachPermissions
on other construct grants the permission to the Functions we create within those constructs. For example, bus.attachPermissions()
attach the permissions to the Function targets it has.Clayton
11/12/2021, 4:08 PM.attachPermissions
seems to be working correctly but I don’t see any functions involved.Frank
.attachPermissions
is only meaningful if you were using function target.Frank
.attachPermissions
line.Clayton
11/12/2021, 8:38 PMFrank
Clayton
11/12/2021, 9:51 PMFrank