stackoom
  简体   繁体   中英

Wrong IAM Policy generated by AWS SAM template

 原文  2020-07-25 05:36:22       amazon-web-services/ aws-lambda/ amazon-iam/ aws-sam

Question

I am trying to build a AWS lambda based application with AWS SAM. while deployment, I have noticed that one of the IAM Policy created for lambda has wrong ARN. As you can see below(It is malformed):

{
    "Statement": [
        {
            "Action": [
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:BatchWriteItem"
            ],
            "Resource": [
                "arn:aws:dynamodb:ap-south-1:286214033472:table/arn:aws:dynamodb:ap-south-1:286214033472:table/damoLambda-DynamoDBTable-11I5VYQXQKPHH",
                "arn:aws:dynamodb:ap-south-1:286214033472:table/arn:aws:dynamodb:ap-south-1:286214033472:table/damoLambda-DynamoDBTable-11I5VYQXQKPHH/index/*"
            ],
            "Effect": "Allow"
        }
    ]
}

DynamoDB Table itself is created by SAM template and refered in lambda policy section, As below: 

  TestFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: FileExtractorFunction
      Handler: helloworld.App::handleRequest
      Runtime: java8
      MemorySize: 512
      Policies:
        - CloudWatchPutMetricPolicy: {}  
        - S3ReadPolicy:
            BucketName: !Ref S3BucketName
        - DynamoDBWritePolicy:
            TableName: !GetAtt DynamoDBTable.Arn
      Environment:
        Variables:
          DynamoDB_Table_Name: !Ref DynamoDBTable
          
  ........................................
  ........................................
  ........................................
 DynamoDBTable:
    Type: AWS::DynamoDB::Table
    Properties:
      AttributeDefinitions:
       - AttributeName: id
         AttributeType: S
      KeySchema:
        - AttributeName: id
          KeyType: HASH   
      ProvisionedThroughput:
        ReadCapacityUnits: 5
        WriteCapacityUnits: 5

Apart of Policy section everything works as intended.
For Policy Section, I am not sure that it is a AWS bug or I am doing something wrong.

1 answers

solution1
 0  2020-07-25 06:07:01

I resolved, It was just because I was taking.GetAtt DynamoDBTable.Arn at place of !Ref DynamoDBTable in Policy Section

 - DynamoDBWritePolicy:
    TableName: !Ref DynamoDBTable

Look like AWS SAM template engine missing necessary validations and have poor Object model, .GetAtt DynamoDBTable.Arn should return Object of Type ARN instead of just String.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CFT template IAM Policy Add inline policy to aws SAM template AWS AppConfig Validation Lambda Policy in SAM Template Is it possible to override AWS SAM policy template placeholder variables configure iam authorizer in SAM template How to design SAM deployer policy? to enforce SAM generated AWS resources to be in PermissionBoundary AWS iam simulate-principal-policy outputs wrong anser AWS: IAM Policy for CodePipeline? AWS IAM policy for SQS AWS IAM policy issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM