https://serverless-stack.com/ logo
Join Slack
Powered by
Is there a way to explicitly set the PolicyStateme...
# help
d
Is there a way to explicitly set the PolicyStatement in the 
permissions
prop for a function?
Copy code
permissions: [
  [eventsBucket, 'headObject', 'getObject'],
  [
    new iam.PolicyStatement({
      actions: ['ssm:*'],
      effect: iam.Effect.ALLOW,
      resources: [`arn:aws:ssm:${REGION}:${ACCOUNT_ID}:parameter${SSM_HUBSPOTAPIKEY}`],
    }),
  ],
],
…this does not work. in this case, do we have to use…
Copy code
fun.attachPermissions([
 new iam.PolicyStatement({
   actions: ["execute-api:Invoke"],
   effect: iam.Effect.ALLOW,
   resources: [
     `arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`,
   ],
 }),
]);
t
I think if you remove the array around the policy statement it should work
d
@thdxr ya… seems like it might…. but then my 1st permission is linting wrong…
saying that 
getObject
is 
Type 'string' is not assignable to type 'undefined'.
maybe you can’t mix and match those two types of permissions?
short and long form?
t
I'm not familiar with that first form, I don't think that is supposed to work
[resource, "functionCallOnResource"]
Is supported
d
oh… so it should be…
?
t
I don't think those work either. We only support functions that exist on eventsBucket
d
oh? you mean CDK object functions? I thought it was the policy names?
odd that this was working as is and was not erroring out. It’s only now with the add of the SSM stuff is it failing
need to read up on what 
grantRead
does in CFN template
ah… 
Permits an IAM principal all data read operations from this table: BatchGetItem, GetRecords, GetShardIterator, Query, GetItem, Scan.
would have been cool to have the shorthand I was expecting though 😄
7 Views
Open in Slack
PreviousNext
Powered by