stackoom
  简体   繁体   中英

how to connect a serverless client with a given AWS Lambda function

 原文  2022-10-11 08:03:45       aws-lambda/ serverless-framework

Question

I have a question about how to connect a serverless client with a given AWS Lambda function.

I'm building a system that provides the developers with a cloud-based dev environment. It provides the serverless dev environment built atop the AWS lambda, dynamodb services.

Some developers ask me about how to use the serverless framework in the given environment. For the company's security policy, I can't grant Adimin authority on the developers, so that they find it difficult to perform the sls deploy cmd that requires CRUD authority in the IAM service.

I've tried connecting the serverless client with the aws lambda provided by my system without executing the deploy cmd. But all failed. It requires me to execute the sls deploy cmd before the deploy function cmd.

Is there any way to connect a serverless client with a given AWS Lambda function? If there is a best practice in grating the minimized authority, please give me a suggestion.

Thank you in advance.

1 answers

solution1
 0  2022-10-11 09:23:14

First of all you will need to setup different group with dedicated security groups granting rights to your users. Here's a Cloudformation template for instance, (it references default OrganizationAccountAccessRole but you might/should create your own with minimal access):

Resources:
  # ADMIN QA
  AssumeAdministratorQARolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "AdminQA"
      Description: "Assume the qa administrative role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: "AssumeAdministratorQARolePolicy"
          Effect: "Allow"
          Action:
          - "sts:AssumeRole"
          Resource: "arn:aws:iam::ACCOUNTID:role/OrganizationAccountAccessRole"

  AdminQAGroup:
    Type: AWS::IAM::Group
    Properties: 
      GroupName: AdminQA
      ManagedPolicyArns: 
        - !Ref AssumeAdministratorQARolePolicy

  AdminQAUsersToGroup:
    Type: AWS::IAM::UserToGroupAddition
    Properties: 
      GroupName: !Ref AdminQAGroup
      Users: 
        - MYUSER

Then MYUSER might use this Role through his .aws/credentials like

[default]
aws_access_key_id = KEY
aws_secret_access_key = SECRET

[qa]
role_arn = arn:aws:iam::ACCOUNTID:role/OrganizationAccountAccessRole
source_profile = default

Once again you might update OrganizationAccountAccessRole to your very own Role. Finally during deployment you might use this profile with:

serverless deploy --stage qa --aws-profile qa

Which I recommend to set in package.json directly.

Hope this helps and clarifies how you should grant rights and access through the whole deployment process.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Lambda function on Java with Serverless framework and GraalVM Serverless: can't load lambda function on the AWS using deploy comand How to limit parallel execution of serverless lambda function Unable to determine event type for AWS Lambda serverless function How to remove stage from URLs for AWS Lambda functions + Serverless framework? Secure a serverless backend with AWS Lambda Serverless AWS Lambda CORS Error How to get latest Layer version with serverless framework for AWS Lambda How to setup Oauth scopes at AWS Serverless Function? Is it possible to call lambda function from other lambda functions in AWS serverless API?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM