Reputation: 21507
How to attach a managed policy to a lambda function in serverless framework
How can I attach a managed policy to a lambda function?
I tried:
provider:
name: aws
role: arn:aws:iam::aws:policy/AmazonCognitoReadOnly
But this resulted in the following error:
An error occurred while provisioning your stack: GaDashextractLambdaFunction - 1 validation error detected: Value 'arn:aws:iam::aws:policy/AmazonCognitoReadOnly' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@-_/]+.
Upvotes: 8
Views: 10092
Answers (2)
Reputation: 617
You can. Just provide the ARN in the ManagedPolicyArns of a Role resource.
Resources:
RoleName:
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
For policies applied to all functions:
provider:
name: aws
iamManagedPolicies:
- "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
Upvotes: 6
Reputation: 26031
Note the error -- it expects role instead of policy.
IAM Policies are documents that define permissions and can't be attached directly to lambda functions. Create an IAM Role and attach the managed policy to the role. Think of the role as a container for your policy; policies can't be attached directly to lambda functions, but roles can. You can freely attach and detach managed and inline policies to your roles.
Option 1: Fix this error from AWS Console with a pre-defined policy:
- Create a new IAM Role for your lambda function.
- During creation, attach the
AmazonCognitoReadOnlymanaged policy. - Replace the ARN in your
roledefinition with your new role's ARN.
Option 2: Define actions of AmazonCognitoReadOnly policy in serverless.yml:
This effectively converts the managed policy to an inline policy. Warning: this is untested.
provider:
...
iamRoleStatements:
- Effect: Allow
Action:
- cognito-identity:Describe*
- cognito-identity:Get*
- cognito-identity:List*
- cognito-idp:Describe*
- cognito-idp:AdminGetUser
- cognito-idp:List*
- cognito-sync:Describe*
- cognito-sync:Get*
- cognito-sync:List*
- iam:ListOpenIdConnectProviders
- iam:ListRoles
- sns:ListPlatformApplication
Resource: *
Further Reading:
- AWS Documentation - AWS Lambda Permissions Model
- AWS Documentation - Create the (IAM) Execution Role (Tutorial)
Upvotes: 4
Related Questions
- aws lambda function using serverless template of asp.net core
- Serverless Framework - Cannot generate IAM policy statement for Task state
- How can I provide resource-based policy in my lambda via serverles.yml?
- Setting up Lambda IAM Policy to access Cognito
- Authorization code grant in lambda AWS with Serverless Framework
- Lambda Policy Permissions: How to set Function Policy for lambda functions from AWS console?
- Lambda - How to create customer managed policy?
- Policy to allow lambda:InvokeFunction to an IAM Assumed Role
- The proper AWS managed policy to attach an IAM Role to execute Lambda Functions
- serverless.yml How to reference lambda function in Cognito Lambda Config