Given the following definition

const table = /* table stack */

const api = new sst.Api(this, 'Api', {
  routes: {
    'GET /restaurants': {
      handler: `src/functions/get-restaurants.main`,
      environment: {
        RESTAURANTS_TABLE_NAME: table.dynamodbTable.tableName,
      },
    },
  },
})

I want to give that particular route only scan access to dynamodb. Is the code below correct or do I need to use to specify a complete IAM policy

api.attachPermissionsToRoute('GET /restaurants', [table, 'dynamodb:Scan'])

Also is it possible to specify permissions in-line with the route definition?

You are actually granting two permissions to the Lambda function: • table - this grants

dynamodb:*

to this table • dynamodb:Scan - this grants

dynamodb:Scan

to all tables

api.attachPermissionsToRoute('GET /restaurants', [table, 'dynamodb:Scan'])

Is it possible to specify this inline with the route definition?

good point. I was actually just thinking about this the other day.

Yep .. I'm trying to follow the principle of least privilege

Sounds good. Lemme give it some thoughts. Most likely I will put it into the next release or the one after.

Appreciate the help

Hey @Michael Wolfenden You can now set route

permissions

inline in v0.10.11. You can also configure

permission

inside

defaultFunctionProps

. And the default permissions will be merged with the route permissions if both are configured for a given route. Here are a couple of examples - https://docs.serverless-stack.com/constructs/Api#specifying-function-props-for-all-the-routes

@Frank you've made me a very happy man