I m not sure how to interpret this top level IAM role statem Serverless Stack #help

I’m not sure how to interpret this top-level IAM r...

Clayton

11/04/2021, 9:19 PM

I’m not sure how to interpret this top-level IAM role statement from Serverless Framework ↓ How might something like this be reproduced in SST or CDK for a service? Thanks in advance for any help.

Copy code

// serverless.yml

provider:
  name: aws
  iamRoleStatements:
    - Effect: Allow
      Action: cloudwatch:PutMetricData
      Resource: '*'

Frank

11/04/2021, 10:01 PM

This might help https://docs.serverless-stack.com/util/Permissions#list-of-iam-policies

Clayton

11/04/2021, 10:02 PM

Thanks Frank, I’ll dig into that

Clayton

11/04/2021, 10:03 PM

One thing that threw me off was that the permission didn’t seem to be assigned to any resource - in Serverless Framework is a top-level statement like this implicitly applied to the function or all resources somehow?

Omi Chowdhury

11/05/2021, 2:14 AM

SLS creates a role for that stack, and adds permissions to that role. Then all the functions in the stack run as that role. SLS also implicitly adds other permissions to that role for things like logging and tracing

Clayton

11/05/2021, 2:29 PM

Thanks @Omi Chowdhury

Frank

11/05/2021, 3:52 PM

Yeah, if you want to assign a permission to all functions in the app you can do so inside app index:

Copy code

app.setDefaultFunctionProps({
  permissions: [
    new iam.PolicyStatement({
      actions: ["cloudwatch:PutMetricData"],
      effect: iam.Effect.ALLOW,
      resources: ["*"],
    }),
  ],
});

3 Views

Open in Slack

Previous Next