User permissions
23ewrdtf opened this issue · 2 comments
23ewrdtf commented
What are the exact permissions needed for npm run deploy to work? A User with AdministratorAccess has too much access.
When I run npm run deploy with below permission I get:
User: arn:aws:iam::xxxxxxxx:user/xxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxx:role/xxxxxxxx
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction"
],
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME"
}
]
}
23ewrdtf commented
I think I figured this out.
- Create a policy with below JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:UpdateAlias",
"lambda:CreateAlias",
"lambda:GetFunctionConfiguration",
"lambda:AddPermission",
"lambda:UpdateFunctionCode"
],
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:ListRoles"
],
"Resource": "arn:aws:iam::ACCOUNT_ID:role/ROLE_CREATED_IN_NEXT_POINT"
}
]
}
-
Create a role and attach above policy and AWSLambdaBasicExecutionRole policy.
-
Create a new user and attach above policy to it.
KingBain commented
This is what worked for me
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:UpdateAlias",
"lambda:CreateAlias",
"lambda:GetFunctionConfiguration",
"lambda:AddPermission",
"lambda:ListEventSourceMappings",
"lambda:UpdateFunctionCode"
],
"Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:ListRoles"
],
"Resource": "arn:aws:iam::ACCOUNT_ID:role/ROLE_CREATED_IN_TUTORIAL"
}
]
}