Unclear on permissions required in IAMPolicy
Closed this issue · 1 comments
When creating an AWS Lambda function with a custom IAM Policy cloudformation seems to fail to create/update the function.
In my case I have the following policy added the following:
class MyController < ApplicationController
iam_policy(
version: "2012-10-17",
statement: [{
action: ["s3:GetObject",
"s3:PutObject",
"s3:ListBucket"],
effect: "Allow",
resource: ["arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"]
}]
)
def create
...
end
end
I used the minimal IAM Policy:CLI specified for deployment.
In my understanding this is used to create IAM roles for AWS Lambda functions. It seems to allow both "s3:" as well as "iam:".
This puzzles me to why the creation of the lambda function with a custom IAMRole fails process fails.
Motivation
Additional IAM Permissions seems to indicate the permissions might not be sufficient, however it's unclear on what might be needed.
Suggestion
An example might help other developers.
Seems that moving it from the function to the application wide config seems to help.
I now have the following in config/application.rb
Am still looking for the correct way on how to do a curl post request with data. I get no error in my dev environment, but doing the same command on aws I seem to see no messages in the cloudwatch logs. Also trying to figure out on how to send the params in the APIGateway. Would be nice to see how to use the test functions there.
config.iam_policy = [
{
action: ["s3:GetObject",
"s3:PutObject"],
effect: "Allow",
resource: ["arn:aws:s3:::s3bucketforshorturls/*"]
},
{
action: ["s3:ListBucket"],
effect: "Allow",
resource: ["arn:aws:s3:::s3bucketforshorturls"]
}
]