Could not get the syntax of policy definition in SAM template resource(serverless function)
Question
Policy definition of AWS managed policy ( AWSLambdaExecute ) is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "logs:*" ],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:PutObject" ],
"Resource": "arn:aws:s3:::*"
}
]
}
But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute , as shown below:
Type: AWS::Serverless::Function
Properties:
Handler: index.js
Runtime: nodejs8.10
CodeUri: 's3://my-code-bucket/my-function.zip'
Description: Creates thumbnails of uploaded images
MemorySize: 1024
Timeout: 15
Policies:
- AWSLambdaExecute # Managed Policy
- Version: '2012-10-17' # Policy Document
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::my-bucket/*'
that does not match with the above definition.
Edit:
Below is the sample function's execution role... I do not see AWS mananged execution role names(such as AWSLambdaBasicExecutionRole ). Because my understanding is, AWSLambdaBasicExecutionRole role should be assigned to Lambda, by default
Are we overriding the policy definition of AWSLambdaExecute in this example?
3 answers
solution1
2 ACCPTED 2019-07-14 16:33:06
When you are specifying policies, you are basically building an execution role your lambda function.
Policies is a list of policies because role can include multiple policies in it.
This line
- AWSLambdaExecute # Managed Policy
states that the lambda function that you are creating should include this AWS managed policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "logs:*" ],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:PutObject" ],
"Resource": "arn:aws:s3:::*"
}
]
}
Following lines:
- Version: '2012-10-17' # Policy Document
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::my-bucket/*'
are specifying next policy that you want to include in your lambda execution role.
Are we overriding the policy definition of AWSLambdaExecute in this example?
No, we are adding multiple policies to lambda execution role, one of them is AWS managed policy and one is our own custom policy. So the lambda function will have permissions defined in both of them. Or more precisely, union of those policies will be made and lambda function will have permissions defined by that union, meaning that if one of the policies allows lambda function to do something and the other denies the same thing, the result will be that the action will be denied.
solution2
1 2019-07-14 16:37:50
I think what your Policies attribute does, is:
- attaches the managed policy AWSLambdaExecute and then
- creates an inline policy for your execution role which grants the s3 permissions s3:GetObject and s3:PutObject . There is another SO post which indicates that SAM now supports defining inline policies. [1]
Defining inline policies does not overwrite anything. You can have multiple different types of policies attached to a single identity (eg IAM user or role). [2]
References
[1] https://stackoverflow.com/a/52719165/10473469
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
solution3
0 2021-03-04 17:14:04
Here's my preferred approach (omitting other fields for clarity):
MyLambdaFunction:
Type: 'AWS::Serverless::Function'
Properties:
Policies:
- CloudWatchLambdaInsightsExecutionRolePolicy # AWS Managed Policy
- AWSXrayWriteOnlyAccess # AWS Managed Policy
- AWSLambdaExecute # AWS Managed Policy
- Version: '2012-10-17' # Policy Document to allow S3 access
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::my-bucket/*'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.