Document IAM requirements for lambda layer installation

[mwarkentin]

What were you initially searching for in the docs?
We would like a well-defined, least-privilege IAM policy to enable installing powertools as a lambda layer. We had to bungle through a few sets of errors in our build pipeline in order to get something working, and even so we have granted more permissions than we'd like to (trying to figure out how to scope it down safely without breaking things again).

Is this related to an existing part of the documentation? Please share a link

https://awslabs.github.io/aws-lambda-powertools-python/#lambda-layer

Provide a working policy (or at least a template where you could insert your own account id, etc) for installation of lambda layer.

If you have a proposed update, please share it here

Here's our current (working, but too powerful) IAM policy (in HCL but should be readable to anyone familiar with IAM policy structure):

statement {
    actions = [
      "cloudformation:CreateChangeSet",
    ]

    # Previously "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31"
    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "CloudformationCreateChangeset"
  }

  statement {
    actions = [
      "serverlessrepo:CreateCloudFormationTemplate",
      "serverlessrepo:GetCloudFormationTemplate",
    ]

    # "*" ?
    resources = [
      "arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "GetCfnTemplate"
  }

  statement {
    actions = [
      "lambda:PublishLayerVersion",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "PublishLayers"
  }

  statement {
    actions = [
      "s3:GetObject",
    ]

    resources = [
      "arn:aws:s3:::*",
    ]

    effect = "Allow"
    sid    = "GetS3LambdaLayers"
  }

[heitorlessa]

Thanks for raising it @mwarkentin!

@am29d could you help Michael when you get a chance?

As it uses SAR for deployment it definitely needs more permissions than if it were a plain Lambda Layer ARN.

[mwarkentin]

Here's what we've got so far with more targetted wildcards, still working on the CreateChangeset bit:

  statement {
    actions = [
      "cloudformation:CreateChangeSet",
    ]

    resources = [
      "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31",
    ]

    effect = "Allow"
    sid    = "CloudformationCreateChangeset"
  }

  statement {
    actions = [
      "serverlessrepo:CreateCloudFormationTemplate",
      "serverlessrepo:GetCloudFormationTemplate",
    ]

    # Hardcoded reference from 
    # https://serverlessrepo.aws.amazon.com/applications/eu-west-1/057560766410/aws-lambda-powertools-python-layer
    resources = [
      "arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "GetCfnTemplate"
  }

  statement {
    actions = [
      "lambda:PublishLayerVersion",
    ]

    resources = [
      "arn:aws:lambda:us-east-1:${local.account_id}:layer:aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "PublishLayers"
  }

  statement {
    actions = [
      "s3:GetObject",
    ]

    # AWS publishes to an external S3 bucket locked down to our account ID
    # The below example is us publishing lambda powertools
    # Bucket: awsserverlessrepo-changesets-plntc6bfnfj
    # Key: *****/arn:aws:serverlessrepo:eu-west-1:057560766410:applications-aws-lambda-powertools-python-layer-versions-1.6.0/aeeccf50-****-****-****-*********
    resources = [
      "arn:aws:s3:::awsserverlessrepo-changesets-*/*",
    ]

    effect = "Allow"
    sid    = "GetS3LambdaLayers"
  }

[mwarkentin]

Looks like that works, so I think that's enough for us to remove any wide open wildcards. Would still be nice to have this documented for the lambda install. Feel free to take what we've got here and modify it for the docs if it helps!

[am29d]

Hi @mwarkentin, thank you for raising the issue. This is definitely something that needs to be documented and will save a lot of IAM pipeline debugging time for all of us. I will test your proposal and add it to the docs. Thank you.

[am29d]

@mwarkentin I have checked your permissions and added them to the docs, with a small change to replace the region within the resource statement of the PublishLayers sid. Thanks a lot for this contribution!

[mwarkentin]

Awesome, thanks!

[mwarkentin]

Fixed in #204