Skip to content

Document IAM requirements for lambda layer installation #203

Closed
@mwarkentin

Description

@mwarkentin

What were you initially searching for in the docs?
We would like a well-defined, least-privilege IAM policy to enable installing powertools as a lambda layer. We had to bungle through a few sets of errors in our build pipeline in order to get something working, and even so we have granted more permissions than we'd like to (trying to figure out how to scope it down safely without breaking things again).

Is this related to an existing part of the documentation? Please share a link

https://awslabs.github.io/aws-lambda-powertools-python/#lambda-layer

Provide a working policy (or at least a template where you could insert your own account id, etc) for installation of lambda layer.

If you have a proposed update, please share it here

Here's our current (working, but too powerful) IAM policy (in HCL but should be readable to anyone familiar with IAM policy structure):

statement {
    actions = [
      "cloudformation:CreateChangeSet",
    ]

    # Previously "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31"
    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "CloudformationCreateChangeset"
  }

  statement {
    actions = [
      "serverlessrepo:CreateCloudFormationTemplate",
      "serverlessrepo:GetCloudFormationTemplate",
    ]

    # "*" ?
    resources = [
      "arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "GetCfnTemplate"
  }

  statement {
    actions = [
      "lambda:PublishLayerVersion",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "PublishLayers"
  }

  statement {
    actions = [
      "s3:GetObject",
    ]

    resources = [
      "arn:aws:s3:::*",
    ]

    effect = "Allow"
    sid    = "GetS3LambdaLayers"
  }

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentation

Type

No type

Projects

Status

Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions