Description
What were you initially searching for in the docs?
We would like a well-defined, least-privilege IAM policy to enable installing powertools as a lambda layer. We had to bungle through a few sets of errors in our build pipeline in order to get something working, and even so we have granted more permissions than we'd like to (trying to figure out how to scope it down safely without breaking things again).
Is this related to an existing part of the documentation? Please share a link
https://awslabs.github.io/aws-lambda-powertools-python/#lambda-layer
Provide a working policy (or at least a template where you could insert your own account id, etc) for installation of lambda layer.
If you have a proposed update, please share it here
Here's our current (working, but too powerful) IAM policy (in HCL but should be readable to anyone familiar with IAM policy structure):
statement {
actions = [
"cloudformation:CreateChangeSet",
]
# Previously "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31"
resources = [
"*",
]
effect = "Allow"
sid = "CloudformationCreateChangeset"
}
statement {
actions = [
"serverlessrepo:CreateCloudFormationTemplate",
"serverlessrepo:GetCloudFormationTemplate",
]
# "*" ?
resources = [
"arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
]
effect = "Allow"
sid = "GetCfnTemplate"
}
statement {
actions = [
"lambda:PublishLayerVersion",
]
resources = [
"*",
]
effect = "Allow"
sid = "PublishLayers"
}
statement {
actions = [
"s3:GetObject",
]
resources = [
"arn:aws:s3:::*",
]
effect = "Allow"
sid = "GetS3LambdaLayers"
}
Metadata
Metadata
Assignees
Type
Projects
Status