schickling/chromeless

AWS Lambda permissions

Closed this issue · 0 comments

xdamman commented

It's a nightmare isn't it?

Well, yes. Just wasted an hour with that.
So, here is what I ended up doing, this may save you one hour:

Go to https://console.aws.amazon.com/iam/home#/policies and click on "Create policy" then on "Create Your Own Policy" and copy paste the below JSON.
Replace:

  • <account_no> with your account number
    You can find it within the "Users" section, then click on your user and grab the number (only the numbers) within the string User ARN
  • <aws_bucket_name>
  • us-east-1 with your region

Once saved, click on "Users" or go to https://console.aws.amazon.com/iam/home#/users
Click on your user and click on "Add permissions", select "Attach existing policies directly" and select the new policy you just created and click on "Next: review".

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:Describe*",
                "cloudformation:List*",
                "cloudformation:Get*",
                "cloudformation:PreviewStackUpdate",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "arn:aws:cloudformation:us-east-1:<account_no>:stack/chromeless-serverless-dev*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<aws_bucket_name>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<aws_bucket_name>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:us-east-1:<account_no>:log-group::log-stream:*"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DeleteLogGroup",
                "logs:DeleteLogStream",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-1:<account_no>:log-group:/aws/lambda/chromeless-serverless-dev*:log-stream:*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<account_no>:role/chromeless-serverless-dev*-lambdaRole"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:POST",
                "apigateway:PUT",
                "apigateway:DELETE"
            ],
            "Resource": [
                "arn:aws:apigateway:us-east-1::/restapis",
                "arn:aws:apigateway:us-east-1::/restapis/*",
                "arn:aws:apigateway:us-east-1::/apikeys",
                "arn:aws:apigateway:us-east-1::/apikeys/*",
                "arn:aws:apigateway:us-east-1::/usageplans",
                "arn:aws:apigateway:us-east-1::/usageplans/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:UpdateFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",
                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:UpdateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:<account_no>:function:chromeless-serverless-dev*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:Put*",
                "events:Remove*",
                "events:Delete*",
                "events:Describe*"
            ],
            "Resource": "arn:aws:events::<account_no>:rule/chromeless-serverless-dev*"
        }
    ]
}

(json inspired by serverless/serverless#1439 (comment))

Improvements suggestions welcome!