just a pro-tip for those who are creating an SST a...
# generals
Sam Hulick
08/14/2021, 8:58 PMjust a pro-tip for those who are creating an SST app from scratch or migrating from Serverless Framework: when adding permissions, do so in very small bits, incrementally. if you add a bunch and then deploy, and there’s a cyclic reference error, it’ll take a lot more time to figure out.
t
thdxr
08/14/2021, 8:59 PMA workflow I used sometimes is not to add any permissions then let the errors tell me what permissions to add
s
Sam Hulick
08/14/2021, 9:00 PMyeah, I usually do that too. although since this is an SLS migration, I already know what everything needs. the thing is, I was sloppy with SLS and hardcoded some ARNs here & there for policies 😅 so now I’m doing it the right way with 100% references
Sam Hulick
08/14/2021, 9:01 PMI ran into a cyclic issue where there’s a Lambda used in a Step Function, but then that function needs permission to send task success/failure to the Step Function it’s part of.
Sam Hulick
08/14/2021, 9:02 PMstill trying to sort it out
Sam Hulick
08/14/2021, 9:10 PMthis is the best I came up with. it’s not great though
Copy code
cleanupFunc.attachPermissions([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'states:SendTaskSuccess',
'states:SendTaskFailure',
'states:SendTaskHeartbeat',
],
resources: [
`arn:aws:states:${stack.region}:${stack.account}:stateMachine:audio-processor-${stack.stage}`,
],
}),
]);a
Adrián Mouly
08/15/2021, 9:29 PMWou your permissions looks clean.
Adrián Mouly
08/15/2021, 9:29 PMMy permissions are just
permissions: ['ssm'],Adrián Mouly
08/15/2021, 9:30 PM@Sam Hulick you define each specific scope for each service?
s
Sam Hulick
08/15/2021, 9:30 PMah yeah 😄 always best to be super specific and limiting with permissions. it’s in the IAM best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege
a
Adrián Mouly
08/15/2021, 9:31 PMI agree, I been doing the lazy-mode for so long, might be time to do it right.
Adrián Mouly
08/15/2021, 9:31 PMThanks for the link, going to check it.
s
Sam Hulick
08/15/2021, 9:31 PMbut I love how easy SST makes permissions, like when creating Lambda functions:
Copy code
permissions: [
[props!.uploadBucket.s3Bucket, 'grantRead'],
[props!.storageBucket.s3Bucket, 'grantPut'],
],