https://serverless-stack.com/ logo
Join Slack
Powered by
Hey all, I am migrating some code over from local...
# help
f
Hey all, I am migrating some code over from localstack. One issue I am having is is that the Lambda functions I have created in SST do not have the correct 
AWS_ACCESS_KEY_ID
and 
AWS_SECRET_ACCESS_KEY
. I ran 
aws configure
in the command line and set both of these, however, when I print the environment in my lambda function, the values inside the value function seem to differ. If I try to explicitly pass the correct values into the lambda function environment, I get the following (expected) error: 
Resource handler returned message: "Lambda was unable to configure your environment variables because the environment variables you have provided contains reserved keys that are currently not supported for modification. Reserved keys used in this request: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
Could someone explain how I could possibly pass the correct access key and id to my lambda function?
a
This is expected with SST. Lambdas use their own role's AWS credentials and not your locally configured ones. This has A LOT of benefits, namely that your lambda is testing the permissions that are defined in CDK and not your (typically) admin credentials. So when you deploy the lambda fully you can be sure that the permissions will work.
If you want your lambda to access something it doesn't have access to then just define it in CDK and give it access to the AWS resource.
f
Ok thanks @Akos that makes sense. I will give it a go and hopefully get this sorted
a
Most of the CDK constructs have some kind-of a 
grant
method that you can use. For example with DynamoDB:
Copy code
sstTable.dynamodbTable.grantReadData(lambda);
sstTable.dynamodbTable.grantReadWriteData(lambda);
Where sstTable is the SST Table construct: https://docs.serverless-stack.com/constructs/Table
Or you can just drop down to manually assign any permission you want, here's an example:
Copy code
lambda.addToRolePolicy(
  new iam.PolicyStatement({
    sid: 'MyDescribeEventsPermission',
    effect: iam.Effect.ALLOW,
    actions: ['events:DescribeEventBus'],
    resources: [
cdk.Fn.sub('arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/*'),
    ],
  })
);
f
Thanks a lot @Akos - I am basically trying to give my lambda functions access to the SSM store
The way I attempted it is as follows: 
myLambdaFunction.attachPermissions(['ssm'])
Would this work? I tried following the docs here: https://docs.serverless-stack.com/design-principles#attaching-permissions
a
Do you want to give it permission to read all parameters in SSM?
CDK has a construct for a StringParameter that has an explicit 
grantRead
on it: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ssm.StringParameter.html#grantwbrreadgrantee
But I think 
myLambdaFunction.attachPermissions(['ssm'])
will work 👍 Give it a try!
f
Yes thank you. I will give it a shot!
f
@Akos Thanks for chiming in!
@Fazi just wanted to add you can also provide the 
permissions
when defining the Function:
Copy code
new sst.Function(this, "MyFn", {
  handler: "...",
  permissions: ["ssm"],
});
or to all functions in ie. an Api inside 
defaultFunctionProps
f
Thanks @Frank!
3 Views
Open in Slack
PreviousNext
Powered by